Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wscript.exe and rundll


  • This topic is locked This topic is locked
26 replies to this topic

#1 midou1994

midou1994

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 27 February 2013 - 12:27 PM

Hi,
 
I was using Microsoft Security Essentials Previously But I guess something just snuck in via pendrive.I started having random .js files on my startup after I copied some Movies and Pictures from My friends pen drives.
 
(I scanned the Pendrive with Malware Bytes and Microsoft Security Essentials and both came clean so that was the only reason I went ahead and opened it).
 
The problem is wscript is a genuine file but something seems to trigger it during startup I have never seen wscript run without any need on my system and to my knowledge rundll32.exe can be used by malicious items tooo......
 
 
 
What I have done so Far?(I know playing with the system can make things hard for you but well sorry)
ran Hitman Pro which closed on its own so I changed it name to spy and its extension to .com but no luck.....
ran Hijack this and several files like lsass are being told missing
i.e like this @keyiso.dll and the file is missing.................................

 
 
I have disabled whatever startup I think are unknown and I am able to open taskmgr so I can terminate wscript.exe...............................
I uninstalled MSE and Installed Norton Internet Security...........
UAC was always enabled
I have not fixed or removed any registry entry or file from system using Hijack this/ any other software but do have log files of each


@ Helper who ever you are please give me more than 3 days before you close my Topic I stay in a college and acces to net is blocked for most of the time so please do bear with me

Edited by midou1994, 27 February 2013 - 12:37 PM.

Midou

BC AdBot (Login to Remove)

 


#2 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 27 February 2013 - 12:38 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16464
Run by A Avinesh Benjamin at 23:03:11 on 2013-02-27
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.3948.2081 [GMT 5.5:30]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe
C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe
C:\Windows\SysWOW64\nutsrv4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uProxyOverride = local
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ips\ipsbho.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\coieplg.dll
EB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} - 
uRun: [Google Update] "C:\Users\A Avinesh Benjamin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [d0b8] C:\Users\A Avinesh Benjamin\AppData\Roaming\c6\d0b8.js
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
StartupFolder: C:\Users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87f.js
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\nutafun4.dll
TCP: NameServer = 192.168.43.1
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A} : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\14E64627F69646140553532393 : NameServer = 208.67.220.222,208.67.222.220
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\14E64627F69646140553532393 : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\2637E6C6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\B63636D277966696 : DHCPNameServer = 192.168.2.245
TCP: Interfaces\{FBED56FB-2E7D-4D71-8AA3-8ED117D692DE} : DHCPNameServer = 192.168.42.129
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SMR311;Symantec SMR Utility Service 3.1.1;C:\Windows\System32\drivers\SMR311.SYS [2013-2-27 95392]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1402010.016\symds64.sys [2013-2-27 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1402010.016\symefa64.sys [2013-2-27 1133216]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx64.sys [2013-2-8 1388120]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1402010.016\ccsetx64.sys [2013-2-27 168096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130226.001\IDSviA64.sys [2013-2-26 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1402010.016\ironx64.sys [2013-2-27 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1402010.016\symnets.sys [2013-2-27 432800]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-12-16 98208]
R2 IaStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-12-16 13336]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-12-16 1817088]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccsvchst.exe [2013-2-27 143928]
R2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2013-1-14 230416]
R2 NuTCRACKERService;NuTCRACKER Service;C:\Windows\SysWOW64\nutsrv4.exe [2012-12-20 277272]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-12-16 2656280]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-12-16 317440]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2012-12-16 335464]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-12-16 436840]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2012-12-16 1142376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-2-6 102936]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2013-2-27 36680]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-21 19456]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-2-6 203544]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-21 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-12-21 30208]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-3-17 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-19 1255736]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [2012-11-13 14544]
.
=============== Created Last 30 ================
.
2013-02-27 17:08:25    388096    ----a-r-    C:\Users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-27 17:08:25    --------    d-----w-    C:\Program Files (x86)\Trend Micro
2013-02-27 12:54:04    --------    d-----w-    C:\Tweaking.com_Windows_Repair_Logs
2013-02-27 12:45:26    43680    ----a-r-    C:\Windows\System32\drivers\SymIMV.sys
2013-02-27 12:37:32    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\{AFB0853A-ABDB-4D0B-8D48-E38A88EA82B1}
2013-02-27 12:37:29    --------    d-----w-    C:\Program Files (x86)\Common Files\Symantec Shared
2013-02-27 12:29:02    776864    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\srtsp64.sys
2013-02-27 12:29:02    493216    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\symds64.sys
2013-02-27 12:29:02    432800    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\symnets.sys
2013-02-27 12:29:02    37496    ----a-r-    C:\Windows\System32\drivers\NISx64\1402010.016\srtspx64.sys
2013-02-27 12:29:02    23448    ----a-r-    C:\Windows\System32\drivers\NISx64\1402010.016\symelam.sys
2013-02-27 12:29:02    224416    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\ironx64.sys
2013-02-27 12:29:02    1133216    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\symefa64.sys
2013-02-27 12:29:01    168096    ----a-w-    C:\Windows\System32\drivers\NISx64\1402010.016\ccsetx64.sys
2013-02-27 12:28:57    --------    d-----w-    C:\Windows\System32\drivers\NISx64\1402010.016
2013-02-27 12:21:56    177312    ----a-w-    C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-02-27 12:21:56    --------    d-----w-    C:\Program Files\Symantec
2013-02-27 12:21:56    --------    d-----w-    C:\Program Files\Common Files\Symantec Shared
2013-02-27 12:21:10    --------    d-----w-    C:\Windows\System32\drivers\NISx64
2013-02-27 12:21:08    --------    d-----w-    C:\Program Files (x86)\Norton Internet Security
2013-02-27 12:21:03    --------    d-----w-    C:\Program Files (x86)\NortonInstaller
2013-02-27 12:16:36    --------    d-----w-    C:\Program Files (x86)\Warcraft III Reign of Chaos & The Frozen Throne
2013-02-27 12:03:36    --------    d-----w-    C:\ProgramData\NortonInstaller
2013-02-27 12:03:15    1004    ----a-w-    C:\FixitRegBackup.reg
2013-02-27 10:00:53    36680    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2013-02-27 08:40:13    95392    ----a-w-    C:\Windows\System32\drivers\SMR311.SYS
2013-02-27 08:37:28    --------    d-----w-    C:\downloads
2013-02-27 08:14:52    --------    d-sh--w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\c6
2013-02-27 08:14:48    --------    d-sh--w-    C:\c7
2013-02-23 18:10:18    --------    d-----w-    C:\Users\A Avinesh Benjamin\.zenmap
2013-02-23 18:08:44    --------    d-----w-    C:\Program Files\WinPcap
2013-02-23 18:03:26    --------    d-----w-    C:\Program Files (x86)\Nmap
2013-02-23 17:11:17    71024    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-23 17:11:17    691568    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-23 12:34:48    11264    ----a-w-    C:\Windows\SysWow64\SPORDER.DLL
2013-02-22 18:16:59    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\ProgSense
2013-02-22 18:16:53    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\GrabPro
2013-02-22 18:05:30    --------    d-----w-    C:\ProgramData\Innovative Solutions
2013-02-22 18:05:29    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Local\Innovative Solutions
2013-02-22 18:05:28    --------    d-----w-    C:\Program Files (x86)\Common Files\Innovative Solutions
2013-02-22 18:05:26    42496    ----a-w-    C:\Windows\SysWow64\AdvUninstCPL.cpl
2013-02-22 18:05:20    --------    d-----w-    C:\Program Files (x86)\Innovative Solutions
2013-02-21 14:31:14    --------    d-----w-    C:\ProgramData\Mobile Partner
2013-02-21 14:29:23    --------    d-----w-    C:\ProgramData\DatacardService
2013-02-19 17:27:59    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Local\Diagnostics
2013-02-17 07:46:17    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\FileOpen
2013-02-17 07:46:17    --------    d-----w-    C:\ProgramData\FileOpen
2013-02-17 07:32:27    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\hpqLog
2013-02-15 07:45:40    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\NetBeans
2013-02-15 07:45:40    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Local\NetBeans
2013-02-14 09:21:49    --------    d-----w-    C:\Program Files (x86)\Microsoft Analysis Services
2013-02-14 09:00:10    --------    d-----w-    C:\Windows\pss
2013-02-14 08:29:34    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:29:34    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:20:25    288088    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2013-02-14 08:20:25    1913192    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-02-14 08:20:04    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-02-14 08:20:03    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-02-14 08:20:03    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-02-14 08:20:03    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-02-14 08:20:03    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-02-14 08:20:02    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-02-14 08:20:01    5553512    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-02-14 08:20:00    3967848    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-02-14 08:20:00    3913064    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-02-14 08:19:59    3153408    ----a-w-    C:\Windows\System32\win32k.sys
2013-02-14 08:15:38    --------    d-----w-    C:\Windows\SysWow64\Adobe
2013-02-14 06:16:54    --------    d-----w-    C:\Program Files\NetBeans 7.2
2013-02-12 14:51:42    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\Nitro
2013-02-12 14:50:51    --------    d-----w-    C:\Program Files\Common Files\Nitro
2013-02-12 14:50:50    --------    d-----w-    C:\ProgramData\Nitro
2013-02-12 14:50:50    --------    d-----w-    C:\Program Files (x86)\Nitro
2013-02-12 14:50:50    --------    d-----w-    C:\Program Files (x86)\Common Files\Nitro
2013-02-12 13:11:27    --------    d-----w-    C:\Windows\System32\appmgmt
2013-02-08 14:45:38    36736    ----a-w-    C:\Windows\System32\drivers\tap0901.sys
2013-02-06 02:12:10    203544    ----a-w-    C:\Windows\System32\drivers\ssudmdm.sys
2013-02-06 02:12:08    102936    ----a-w-    C:\Windows\System32\drivers\ssudbus.sys
2013-02-02 12:45:18    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\DMCache
2013-01-31 17:55:34    29712    ----a-w-    C:\Windows\System32\nitrolocalmon2.dll
2013-01-31 17:55:34    17936    ----a-w-    C:\Windows\System32\nitrolocalui2.dll
2013-01-31 17:53:45    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\Downloaded Installations
2013-01-31 16:17:37    --------    d-----w-    C:\Program Files (x86)\Audacity
2013-01-31 15:24:35    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Local\Microsoft Help
2013-01-31 11:58:29    --------    d-----w-    C:\Program Files (x86)\uTorrent
2013-01-31 11:57:19    --------    d-----w-    C:\Users\A Avinesh Benjamin\AppData\Roaming\uTorrent
.
==================== Find3M  ====================
.
2013-02-21 14:30:20    1490656    ----a-w-    C:\Windows\System32\WdfCoInstaller01007.dll
2013-02-21 14:30:20    1490656    ----a-w-    C:\Windows\System32\drivers\WdfCoInstaller01007.dll
2013-01-30 10:53:22    273840    ------w-    C:\Windows\System32\MpSigStub.exe
2013-01-09 01:19:09    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-01-09 01:12:03    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-01-09 01:11:06    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-01-09 01:07:51    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-01-09 01:07:47    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-01-09 01:04:42    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-01-08 22:11:21    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-01-04 04:43:21    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2012-12-16 17:11:22    46080    ----a-w-    C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03    367616    ----a-w-    C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28    295424    ----a-w-    C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20    34304    ----a-w-    C:\Windows\SysWow64\atmlib.dll
2012-12-14 11:19:28    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2012-12-07 13:20:16    441856    ----a-w-    C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31    2746368    ----a-w-    C:\Windows\System32\gameux.dll
2012-12-07 12:26:17    308736    ----a-w-    C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04    30720    ----a-w-    C:\Windows\System32\usk.rs
2012-12-07 11:20:03    43520    ----a-w-    C:\Windows\System32\csrr.rs
2012-12-07 11:20:03    23552    ----a-w-    C:\Windows\System32\oflc.rs
2012-12-07 11:20:01    45568    ----a-w-    C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01    44544    ----a-w-    C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01    20480    ----a-w-    C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00    20480    ----a-w-    C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59    20480    ----a-w-    C:\Windows\System32\pegi.rs
2012-12-07 11:19:58    46592    ----a-w-    C:\Windows\System32\fpb.rs
2012-12-07 11:19:57    40960    ----a-w-    C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57    21504    ----a-w-    C:\Windows\System32\grb.rs
2012-12-07 11:19:57    15360    ----a-w-    C:\Windows\System32\djctq.rs
2012-12-07 11:19:56    55296    ----a-w-    C:\Windows\System32\cero.rs
2012-12-07 11:19:55    51712    ----a-w-    C:\Windows\System32\esrb.rs
2012-11-30 05:45:35    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35    243200    ----a-w-    C:\Windows\System32\wow64.dll
2012-11-30 05:45:35    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2012-11-30 05:43:12    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07    424448    ----a-w-    C:\Windows\System32\KernelBase.dll
2012-11-30 04:53:59    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48    338432    ----a-w-    C:\Windows\System32\conhost.exe
2012-11-30 02:38:59    6144    ---ha-w-    C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59    4608    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59    3584    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59    3072    ---ha-w-    C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-29 19:20:50    96784    ----a-w-    C:\Windows\SysWow64\Packet.dll
2012-11-29 19:20:50    53299    ----a-w-    C:\Windows\SysWow64\pthreadVC.dll
2012-11-29 19:20:50    281104    ----a-w-    C:\Windows\SysWow64\wpcap.dll
2012-11-29 19:20:50    106000    ----a-w-    C:\Windows\System32\Packet.dll
2012-11-29 19:20:48    369168    ----a-w-    C:\Windows\System32\wpcap.dll
2012-11-29 19:20:48    35344    ----a-w-    C:\Windows\System32\drivers\npf.sys
.
============= FINISH: 23:03:27.25 ===============

Attached Files


Edited by midou1994, 27 February 2013 - 12:40 PM.

Midou

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 28 February 2013 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.

  • Please post the C:\ComboFix.txt

Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.

  • Double click on AdwCleaner.exe to run the tool.

  • Click on Delete tab follow the prompts.

  • A log file will automatically open after the scan has finished.

  • Please post the content of that log file with your next answer.

  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.


#4 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 01:38 PM

ComboFix 13-02-26.01 - A Avinesh Benjamin 28-02-2013  23:46:10.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.3948.2699 [GMT 5.5:30]
Running from: c:\users\A Avinesh Benjamin\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\muzapp.exe
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_npf
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-28 to 2013-02-28  )))))))))))))))))))))))))))))))
.
.
2013-02-28 16:04 . 2013-02-28 16:08    47437    ----a-w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84.js
2013-02-27 17:08 . 2013-02-27 17:08    388096    ----a-r-    c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-27 17:08 . 2013-02-27 17:08    --------    d-----w-    c:\program files (x86)\Trend Micro
2013-02-27 12:54 . 2013-02-27 12:54    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-02-27 12:54 . 2013-02-27 12:54    --------    d-----w-    C:\Tweaking.com_Windows_Repair_Logs
2013-02-27 12:45 . 2012-09-07 02:05    43680    ----a-r-    c:\windows\system32\drivers\SymIMV.sys
2013-02-27 12:37 . 2013-02-27 12:37    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\{AFB0853A-ABDB-4D0B-8D48-E38A88EA82B1}
2013-02-27 12:37 . 2013-02-27 12:37    --------    d-----w-    c:\program files (x86)\Common Files\Symantec Shared
2013-02-27 12:21 . 2013-02-27 12:21    177312    ----a-w-    c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files\Symantec
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2013-02-27 12:21 . 2013-02-27 12:29    --------    d-----w-    c:\windows\system32\drivers\NISx64
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files (x86)\Norton Internet Security
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files (x86)\NortonInstaller
2013-02-27 12:16 . 2013-02-28 16:22    --------    d-----w-    c:\program files (x86)\Warcraft III Reign of Chaos & The Frozen Throne
2013-02-27 12:03 . 2013-02-27 12:21    --------    d-----w-    c:\programdata\NortonInstaller
2013-02-27 12:03 . 2013-02-27 12:03    1004    ----a-w-    C:\FixitRegBackup.reg
2013-02-27 10:00 . 2013-02-27 10:00    36680    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-02-27 08:40 . 2013-02-27 08:40    95392    ----a-w-    c:\windows\system32\drivers\SMR311.SYS
2013-02-27 08:37 . 2013-02-27 08:37    --------    d-----w-    C:\downloads
2013-02-27 08:14 . 2013-02-27 08:14    --------    d-sh--w-    c:\users\A Avinesh Benjamin\AppData\Roaming\c6
2013-02-27 08:14 . 2013-02-27 08:14    --------    d-----w-    C:\c7
2013-02-23 18:10 . 2013-02-24 05:41    --------    d-----w-    c:\users\A Avinesh Benjamin\.zenmap
2013-02-23 18:08 . 2013-02-23 18:08    --------    d-----w-    c:\program files\WinPcap
2013-02-23 18:03 . 2013-02-23 18:09    --------    d-----w-    c:\program files (x86)\Nmap
2013-02-23 17:11 . 2013-02-23 17:11    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-23 17:11 . 2013-02-23 17:11    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-23 12:34 . 1997-06-06 10:22    11264    ----a-w-    c:\windows\SysWow64\SPORDER.DLL
2013-02-22 18:16 . 2013-02-22 18:16    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\ProgSense
2013-02-22 18:16 . 2013-02-22 18:16    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\GrabPro
2013-02-22 18:15 . 2013-02-27 10:10    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Orbit
2013-02-22 18:05 . 2013-02-23 12:31    --------    d-----w-    c:\programdata\Innovative Solutions
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Innovative Solutions
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\program files (x86)\Common Files\Innovative Solutions
2013-02-22 18:05 . 2009-11-05 06:54    42496    ----a-w-    c:\windows\SysWow64\AdvUninstCPL.cpl
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\program files (x86)\Innovative Solutions
2013-02-21 14:31 . 2013-02-21 14:31    --------    d-----w-    c:\programdata\Mobile Partner
2013-02-21 14:29 . 2013-02-27 09:23    --------    d-----w-    c:\programdata\DatacardService
2013-02-19 17:27 . 2013-02-27 12:48    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Diagnostics
2013-02-17 07:46 . 2013-02-17 07:46    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\FileOpen
2013-02-17 07:46 . 2013-02-17 07:46    --------    d-----w-    c:\programdata\FileOpen
2013-02-17 07:32 . 2013-02-17 07:32    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\hpqLog
2013-02-15 07:45 . 2013-02-15 07:46    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\NetBeans
2013-02-15 07:45 . 2013-02-15 07:45    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\NetBeans
2013-02-14 09:22 . 2013-02-14 09:22    --------    d-----w-    c:\program files\Microsoft Office
2013-02-14 09:21 . 2013-02-14 09:21    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2013-02-14 09:20 . 2013-02-14 09:20    --------    d-----r-    C:\MSOCache
2013-02-14 08:29 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:29 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:27 . 2013-01-09 01:07    816640    ----a-w-    c:\windows\system32\jscript.dll
2013-02-14 08:20 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-14 08:20 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-14 08:20 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-14 08:20 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-14 08:20 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-14 08:20 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-14 08:20 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-14 08:20 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-14 08:20 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-14 08:20 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-14 08:20 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-14 08:19 . 2013-01-04 03:26    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-02-14 08:15 . 2013-02-14 08:15    --------    d-----w-    c:\windows\SysWow64\Adobe
2013-02-14 06:16 . 2013-02-14 06:19    --------    d-----w-    c:\program files\NetBeans 7.2
2013-02-12 14:52 . 2013-02-28 14:08    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Nitro PDF
2013-02-12 14:51 . 2013-02-12 14:51    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files\Common Files\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\programdata\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files (x86)\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files (x86)\Common Files\Nitro
2013-02-12 13:11 . 2013-02-12 13:11    --------    d-----w-    c:\windows\system32\appmgmt
2013-02-06 02:12 . 2013-02-06 02:12    203544    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
2013-02-06 02:12 . 2013-02-06 02:12    102936    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-02-02 12:45 . 2013-02-22 18:07    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\DMCache
2013-01-31 17:55 . 2013-01-14 17:00    29712    ----a-w-    c:\windows\system32\nitrolocalmon2.dll
2013-01-31 17:55 . 2013-01-14 17:00    17936    ----a-w-    c:\windows\system32\nitrolocalui2.dll
2013-01-31 17:53 . 2013-01-31 17:53    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Downloaded Installations
2013-01-31 16:17 . 2013-01-31 17:27    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Audacity
2013-01-31 16:17 . 2013-01-31 17:09    --------    d-----w-    c:\program files (x86)\Audacity
2013-01-31 15:24 . 2013-01-31 15:24    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Microsoft Help
2013-01-31 11:58 . 2013-01-31 11:58    --------    d-----w-    c:\program files (x86)\uTorrent
2013-01-31 11:57 . 2013-02-16 07:34    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\uTorrent
2013-01-31 08:52 . 2011-12-15 14:59    31232    ----a-w-    c:\windows\system32\drivers\tap0901.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-21 14:30 . 2012-12-29 11:01    1490656    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-02-21 14:30 . 2012-12-29 11:01    1490656    ----a-w-    c:\windows\system32\drivers\WdfCoInstaller01007.dll
2013-02-14 08:34 . 2012-12-18 18:22    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-01-30 10:53 . 2010-11-21 03:27    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-14 08:20    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-21 10:01    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 16:28 . 2012-12-16 16:20    2243520    ----a-w-    c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-12-16 15:53 . 2012-12-16 15:53    74752    ----a-w-    c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-12-16 15:53 . 2012-12-16 15:53    161792    ----a-w-    c:\windows\SysWow64\msls31.dll
2012-12-16 15:53 . 2012-12-16 15:53    86528    ----a-w-    c:\windows\SysWow64\iesysprep.dll
2012-12-16 15:53 . 2012-12-16 15:53    76800    ----a-w-    c:\windows\SysWow64\SetIEInstalledDate.exe
2012-12-16 15:53 . 2012-12-16 15:53    74752    ----a-w-    c:\windows\SysWow64\iesetup.dll
2012-12-16 15:53 . 2012-12-16 15:53    63488    ----a-w-    c:\windows\SysWow64\tdc.ocx
2012-12-16 15:53 . 2012-12-16 15:53    48640    ----a-w-    c:\windows\SysWow64\mshtmler.dll
2012-12-16 15:53 . 2012-12-16 15:53    367104    ----a-w-    c:\windows\SysWow64\html.iec
2012-12-16 15:53 . 2012-12-16 15:53    23552    ----a-w-    c:\windows\SysWow64\licmgr10.dll
2012-12-16 15:53 . 2012-12-16 15:53    152064    ----a-w-    c:\windows\SysWow64\wextract.exe
2012-12-16 15:53 . 2012-12-16 15:53    110592    ----a-w-    c:\windows\SysWow64\IEAdvpack.dll
2012-12-16 15:53 . 2012-12-16 15:53    150528    ----a-w-    c:\windows\SysWow64\iexpress.exe
2012-12-16 15:53 . 2012-12-16 15:53    89088    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2012-12-16 15:53 . 2012-12-16 15:53    35840    ----a-w-    c:\windows\SysWow64\imgutil.dll
2012-12-16 15:53 . 2012-12-16 15:53    222208    ----a-w-    c:\windows\system32\msls31.dll
2012-12-16 15:53 . 2012-12-16 15:53    11776    ----a-w-    c:\windows\SysWow64\mshta.exe
2012-12-16 15:53 . 2012-12-16 15:53    101888    ----a-w-    c:\windows\SysWow64\admparse.dll
2012-12-16 15:53 . 2012-12-16 15:53    197120    ----a-w-    c:\windows\system32\msrating.dll
2012-12-16 15:53 . 2012-12-16 15:53    91648    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2012-12-16 15:53 . 2012-12-16 15:53    65024    ----a-w-    c:\windows\system32\pngfilt.dll
2012-12-16 15:53 . 2012-12-16 15:53    55296    ----a-w-    c:\windows\system32\msfeedsbs.dll
2012-12-16 15:53 . 2012-12-16 15:53    49664    ----a-w-    c:\windows\system32\imgutil.dll
2012-12-16 15:53 . 2012-12-16 15:53    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2012-12-16 15:53 . 2012-12-16 15:53    267776    ----a-w-    c:\windows\system32\ieaksie.dll
2012-12-16 15:53 . 2012-12-16 15:53    163840    ----a-w-    c:\windows\system32\ieakui.dll
2012-12-16 15:53 . 2012-12-16 15:53    160256    ----a-w-    c:\windows\system32\ieakeng.dll
2012-12-16 15:53 . 2012-12-16 15:53    149504    ----a-w-    c:\windows\system32\occache.dll
2012-12-16 15:53 . 2012-12-16 15:53    145920    ----a-w-    c:\windows\system32\iepeers.dll
2012-12-16 15:53 . 2012-12-16 15:53    135168    ----a-w-    c:\windows\system32\IEAdvpack.dll
2012-12-16 15:53 . 2012-12-16 15:53    12288    ----a-w-    c:\windows\system32\mshta.exe
2012-12-16 15:53 . 2012-12-16 15:53    114176    ----a-w-    c:\windows\system32\admparse.dll
2012-12-16 15:53 . 2012-12-16 15:53    111616    ----a-w-    c:\windows\system32\iesysprep.dll
2012-12-16 15:53 . 2012-12-16 15:53    10752    ----a-w-    c:\windows\system32\msfeedssync.exe
2012-12-16 15:53 . 2012-12-16 15:53    76800    ----a-w-    c:\windows\system32\tdc.ocx
2012-12-16 15:53 . 2012-12-16 15:53    452608    ----a-w-    c:\windows\system32\dxtmsft.dll
2012-12-16 15:53 . 2012-12-16 15:53    448512    ----a-w-    c:\windows\system32\html.iec
2012-12-16 15:53 . 2012-12-16 15:53    282112    ----a-w-    c:\windows\system32\dxtrans.dll
2012-12-16 15:53 . 2012-12-16 15:53    3695416    ----a-w-    c:\windows\system32\ieapfltr.dat
2012-12-16 15:53 . 2012-12-16 15:53    534528    ----a-w-    c:\windows\system32\ieapfltr.dll
2012-12-16 15:53 . 2012-12-16 15:53    89088    ----a-w-    c:\windows\system32\ie4uinit.exe
2012-12-16 15:53 . 2012-12-16 15:53    85504    ----a-w-    c:\windows\system32\iesetup.dll
2012-12-16 15:53 . 2012-12-16 15:53    82432    ----a-w-    c:\windows\system32\icardie.dll
2012-12-16 15:53 . 2012-12-16 15:53    403248    ----a-w-    c:\windows\system32\iedkcs32.dll
2012-12-16 15:53 . 2012-12-16 15:53    39936    ----a-w-    c:\windows\system32\iernonce.dll
2012-12-16 15:53 . 2012-12-16 15:53    30720    ----a-w-    c:\windows\system32\licmgr10.dll
2012-12-16 15:53 . 2012-12-16 15:53    249344    ----a-w-    c:\windows\system32\webcheck.dll
2012-12-16 15:53 . 2012-12-16 15:53    103936    ----a-w-    c:\windows\system32\inseng.dll
2012-12-16 15:53 . 2012-12-16 15:53    165888    ----a-w-    c:\windows\system32\iexpress.exe
2012-12-16 15:53 . 2012-12-16 15:53    160256    ----a-w-    c:\windows\system32\wextract.exe
2012-12-16 15:53 . 2012-12-16 15:53    108008    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-16 15:53 . 2012-12-16 15:53    289768    ----a-w-    c:\windows\system32\javaws.exe
2012-12-16 15:53 . 2012-12-16 15:53    189416    ----a-w-    c:\windows\system32\javaw.exe
2012-12-16 15:53 . 2012-12-16 15:53    188904    ----a-w-    c:\windows\system32\java.exe
2012-12-16 15:53 . 2012-12-16 14:45    916456    ----a-w-    c:\windows\system32\deployJava1.dll
2012-12-16 15:53 . 2012-12-16 14:45    1034216    ----a-w-    c:\windows\system32\npDeployJava1.dll
2012-12-16 14:45 . 2012-12-21 10:01    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:01    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:01    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-14 11:19 . 2012-12-29 13:43    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-13 21:12 . 2012-12-13 21:12    9728    ----a-w-    c:\windows\system32\IGFXDEVLib.dll
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrnor.lrc
2012-12-13 21:12 . 2012-12-13 21:12    384512    ----a-w-    c:\windows\system32\igfxpph.dll
2012-12-13 21:12 . 2012-12-13 21:12    12615680    ----a-w-    c:\windows\system32\igdumd64.dll
2012-12-13 21:12 . 2012-12-16 13:09    64000    ----a-w-    c:\windows\system32\igfxsrvc.dll
2012-12-13 21:12 . 2012-12-16 13:09    110592    ----a-w-    c:\windows\system32\hccutils.dll
2012-12-13 21:12 . 2012-12-13 21:12    64512    ----a-w-    c:\windows\SysWow64\igdde32.dll
2012-12-13 21:12 . 2012-12-13 21:12    440320    ----a-w-    c:\windows\system32\igfxrell.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrptb.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437248    ----a-w-    c:\windows\system32\igfxrtha.lrc
2012-12-13 21:12 . 2012-12-13 21:12    435712    ----a-w-    c:\windows\system32\igfxrheb.lrc
2012-12-13 21:12 . 2012-12-13 21:12    435712    ----a-w-    c:\windows\system32\igfxrara.lrc
2012-12-13 21:12 . 2012-12-13 21:12    431104    ----a-w-    c:\windows\system32\igfxrkor.lrc
2012-12-13 21:12 . 2012-12-13 21:12    429056    ----a-w-    c:\windows\system32\igfxrcht.lrc
2012-12-13 21:12 . 2012-12-13 21:12    330752    ----a-w-    c:\windows\SysWow64\igfxdv32.dll
2012-12-13 21:12 . 2012-12-13 21:12    28672    ----a-w-    c:\windows\system32\igfxexps.dll
2012-12-13 21:12 . 2012-10-09 20:52    11174912    ----a-w-    c:\windows\SysWow64\igd10umd32.dll
2012-12-13 21:12 . 2012-12-13 21:12    640512    ----a-w-    c:\windows\SysWow64\igfxcmrt32.dll
2012-12-13 21:12 . 2012-12-13 21:12    512112    ----a-w-    c:\windows\system32\igfxsrvc.exe
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrnld.lrc
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrdeu.lrc
2012-12-13 21:12 . 2012-12-13 21:12    3121152    ----a-w-    c:\windows\SysWow64\igfxcmjit32.dll
2012-12-13 21:12 . 2012-12-13 21:12    255088    ----a-w-    c:\windows\system32\igfxext.exe
2012-12-13 21:12 . 2012-12-13 21:12    13030400    ----a-w-    c:\windows\system32\ig4icd64.dll
2012-12-13 21:12 . 2012-12-16 13:09    12858368    ----a-w-    c:\windows\system32\igd10umd64.dll
2012-12-13 21:12 . 2012-12-13 21:12    9007616    ----a-w-    c:\windows\system32\igfxress.dll
2012-12-13 21:12 . 2012-12-13 21:12    483840    ----a-w-    c:\windows\system32\igfx11cmrt64.dll
2012-12-13 21:12 . 2012-12-13 21:12    439808    ----a-w-    c:\windows\system32\igfxresn.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrtrk.lrc
2012-12-13 21:12 . 2012-12-13 21:12    428544    ----a-w-    c:\windows\system32\igfxrchs.lrc
2012-12-13 21:12 . 2012-12-13 21:12    80384    ----a-w-    c:\windows\system32\igdde64.dll
2012-12-13 21:12 . 2012-12-13 21:12    459264    ----a-w-    c:\windows\SysWow64\igfx11cmrt32.dll
2012-12-13 21:12 . 2012-12-13 21:12    439296    ----a-w-    c:\windows\system32\igfxrrus.lrc
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrptg.lrc
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0b8"="c:\users\A Avinesh Benjamin\AppData\Roaming\c6\d0b8.js" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
84.js [2013-2-28 47437]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-06 102936]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-02-27 36680]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-06 203544]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-19 1255736]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [2012-11-13 14544]
S0 SMR311;Symantec SMR Utility Service 3.1.1;c:\windows\System32\drivers\SMR311.SYS [2013-02-27 95392]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1402010.016\SYMDS64.SYS [2012-10-04 493216]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1402010.016\SYMEFA64.SYS [2012-10-04 1133216]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx64.sys [2013-02-07 1388120]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1402010.016\ccSetx64.sys [2012-08-20 168096]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130227.001\IDSvia64.sys [2013-02-26 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1402010.016\Ironx64.SYS [2012-09-07 224416]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1402010.016\SYMNETS.SYS [2012-09-07 432800]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 IaStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [2012-12-05 143928]
S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2013-01-14 230416]
S2 NuTCRACKERService;NuTCRACKER Service;c:\windows\SysWOW64\nutsrv4.exe [2001-01-02 277272]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-31 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-18 138912]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-03-02 1142376]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1633803546-3914405238-1997943089-1000Core.job
- c:\users\A Avinesh Benjamin\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 14:56]
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1633803546-3914405238-1997943089-1000UA.job
- c:\users\A Avinesh Benjamin\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 14:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-13 441968]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.42.129
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\14E64627F69646140553532393: NameServer = 208.67.220.222,208.67.222.220
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-02-28  23:56:15 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-28 18:26
.
Pre-Run: 129,970,331,648 bytes free
Post-Run: 129,345,818,624 bytes free
.
- - End Of File - - 6D2E0D93F464963CF6C73E78F10AA5F0
 
 
 
I ran combofix but wscript.exe process was terminated by me sometime back.after Combo Fix restarted the PC none of the apps would work I got a regsitry error the one you mentioned for combo fix all apps showed this error after I restarted the system again the problem was solved 
 
During system startup I got a compressed file error and 2 wscript.exe processes should I run a scan after terminating wscript.exe or should I not do anything for now and post the other requested logs

Midou

#5 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 01:41 PM

 Results of screen317's Security Check version 0.99.60  
 Windows 7 Service Pack 1 x64   
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.70.0.1100  
 Adobe Reader 10.1.5 Adobe Reader out of Date!  
 Google Chrome 23.0.1271.64  
 Google Chrome 25.0.1364.97  
 Google Chrome Plugins...  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 
 
 
 
Thanks for the speedy response and your help 
:thumbsup:

Midou

#6 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 01:45 PM

Update If i don`t terminate wscript.exe I can`t run adwcleaner.....

It closes automatically also if enter any pendrive and wscript.exe is running it creates shortcut folders with the real data still present inside those shortcuts.......

It also creates a autorun file if delete this file it just come back but If i terminate wscript.exe then nothing happens..................................

 

Thanks again For your Help 


Midou

#7 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 01:53 PM

Update changed adwcleaner name to utu did a scan and delete here is the log 

 

 

# AdwCleaner v2.113 - Logfile created 03/01/2013 at 00:21:15
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : A Avinesh Benjamin - AVINESH
# Boot Mode : Normal
# Running from : C:\Users\A Avinesh Benjamin\Desktop\utu.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\Program Files (x86)\GreenTree Applications
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\GreenTree Applications
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16464
 
[OK] Registry is clean.
 
-\\ Google Chrome v25.0.1364.97
 
File : C:\Users\A Avinesh Benjamin\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R2].txt - [1434 octets] - [01/03/2013 00:20:36]
AdwCleaner[R3].txt - [1494 octets] - [01/03/2013 00:20:51]
AdwCleaner[S2].txt - [1439 octets] - [01/03/2013 00:21:15]
 
########## EOF - C:\AdwCleaner[S2].txt - [1499 octets] ##########

Midou

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 28 February 2013 - 02:12 PM

I think wscript.exe is called by the 84.js in your Startup folder.
This should remove it.
 
Open notepad and copy/paste the text in the quote box below into it:
 
File::
c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84.js
 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0b8"=-
 
ClearJavaCache::
 
 
Save this as CFScript.txt on your desktop.
 
 
Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===
Get the latest version of the  Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
 
Keep me posted.


#9 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 02:22 PM

Hi again 

wscript.exe is running have not terminated it yet.

after I drag the script on CF it starts erunt back up the registry and then poof nothing happens what do I do?

Terminate it and then run CF


Midou

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 28 February 2013 - 02:34 PM

wscript.exe is running have not terminated it yet.

Terminate it. It's started each time you start the computer.

 

Stop Combofix.

 

Delete the file in bold manually.

c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84.js

 

If in use boot to Safe mode and remove it.



#11 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 02:39 PM

Folder is empty can`t find a thing      :axe:

 

 

Only visible file is desktop.ini


Midou

#12 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 28 February 2013 - 02:46 PM

in path C:\Users\A Avinesh Benjamin\AppData\Roaming\c6 

c6 is a hidden folder and i found d0b8.js should I delete this it again in the start up list after I disabled it sometime back 

 

 

Attached Files


Midou

#13 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 01 March 2013 - 03:21 AM

ComboFix 13-02-26.01 - A Avinesh Benjamin 01-03-2013  13:37:46.4.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.91.1033.18.3948.2417 [GMT 5.5:30]
Running from: c:\users\A Avinesh Benjamin\Desktop\ComboFix.exe
Command switches used :: c:\users\A Avinesh Benjamin\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84.js"
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-01 to 2013-03-01  )))))))))))))))))))))))))))))))
.
.
2013-03-01 08:11 . 2013-03-01 08:11    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-03-01 07:41 . 2013-03-01 07:41    --------    d-----w-    C:\c7
2013-03-01 07:41 . 2013-03-01 07:41    --------    d-sh--w-    c:\users\A Avinesh Benjamin\AppData\Roaming\c6
2013-03-01 07:40 . 2013-03-01 07:47    47437    ----a-w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86fa.js
2013-02-27 17:08 . 2013-02-27 17:08    388096    ----a-r-    c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-27 17:08 . 2013-02-27 17:08    --------    d-----w-    c:\program files (x86)\Trend Micro
2013-02-27 12:54 . 2013-02-27 12:54    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-02-27 12:45 . 2012-09-07 02:05    43680    ----a-r-    c:\windows\system32\drivers\SymIMV.sys
2013-02-27 12:37 . 2013-02-27 12:37    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\{AFB0853A-ABDB-4D0B-8D48-E38A88EA82B1}
2013-02-27 12:37 . 2013-02-27 12:37    --------    d-----w-    c:\program files (x86)\Common Files\Symantec Shared
2013-02-27 12:21 . 2013-02-27 12:21    177312    ----a-w-    c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files\Symantec
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2013-02-27 12:21 . 2013-02-27 12:29    --------    d-----w-    c:\windows\system32\drivers\NISx64
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files (x86)\Norton Internet Security
2013-02-27 12:21 . 2013-02-27 12:21    --------    d-----w-    c:\program files (x86)\NortonInstaller
2013-02-27 12:16 . 2013-02-28 16:22    --------    d-----w-    c:\program files (x86)\Warcraft III Reign of Chaos & The Frozen Throne
2013-02-27 12:03 . 2013-02-27 12:21    --------    d-----w-    c:\programdata\NortonInstaller
2013-02-27 10:00 . 2013-02-27 10:00    36680    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-02-27 08:40 . 2013-02-27 08:40    95392    ----a-w-    c:\windows\system32\drivers\SMR311.SYS
2013-02-23 18:10 . 2013-02-24 05:41    --------    d-----w-    c:\users\A Avinesh Benjamin\.zenmap
2013-02-23 18:08 . 2013-02-23 18:08    --------    d-----w-    c:\program files\WinPcap
2013-02-23 18:03 . 2013-02-23 18:09    --------    d-----w-    c:\program files (x86)\Nmap
2013-02-23 17:11 . 2013-02-23 17:11    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-23 17:11 . 2013-02-23 17:11    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-23 12:34 . 1997-06-06 10:22    11264    ----a-w-    c:\windows\SysWow64\SPORDER.DLL
2013-02-22 18:16 . 2013-02-22 18:16    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\ProgSense
2013-02-22 18:16 . 2013-02-22 18:16    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\GrabPro
2013-02-22 18:15 . 2013-02-27 10:10    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Orbit
2013-02-22 18:05 . 2013-02-23 12:31    --------    d-----w-    c:\programdata\Innovative Solutions
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Innovative Solutions
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\program files (x86)\Common Files\Innovative Solutions
2013-02-22 18:05 . 2009-11-05 06:54    42496    ----a-w-    c:\windows\SysWow64\AdvUninstCPL.cpl
2013-02-22 18:05 . 2013-02-22 18:05    --------    d-----w-    c:\program files (x86)\Innovative Solutions
2013-02-21 14:31 . 2013-02-21 14:31    --------    d-----w-    c:\programdata\Mobile Partner
2013-02-21 14:29 . 2013-02-27 09:23    --------    d-----w-    c:\programdata\DatacardService
2013-02-19 17:27 . 2013-02-27 12:48    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Diagnostics
2013-02-17 07:46 . 2013-02-17 07:46    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\FileOpen
2013-02-17 07:46 . 2013-02-17 07:46    --------    d-----w-    c:\programdata\FileOpen
2013-02-17 07:32 . 2013-02-17 07:32    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\hpqLog
2013-02-15 07:45 . 2013-02-15 07:46    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\NetBeans
2013-02-15 07:45 . 2013-02-15 07:45    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\NetBeans
2013-02-14 09:22 . 2013-02-14 09:22    --------    d-----w-    c:\program files\Microsoft Office
2013-02-14 09:21 . 2013-02-14 09:21    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2013-02-14 09:20 . 2013-02-14 09:20    --------    d-----r-    C:\MSOCache
2013-02-14 08:29 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:29 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:27 . 2013-01-09 01:07    816640    ----a-w-    c:\windows\system32\jscript.dll
2013-02-14 08:20 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-14 08:20 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-14 08:20 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-14 08:20 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-14 08:20 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-14 08:20 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-14 08:20 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-14 08:20 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-14 08:20 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-14 08:20 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-14 08:20 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-14 08:19 . 2013-01-04 03:26    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-02-14 08:15 . 2013-02-14 08:15    --------    d-----w-    c:\windows\SysWow64\Adobe
2013-02-14 06:16 . 2013-02-14 06:19    --------    d-----w-    c:\program files\NetBeans 7.2
2013-02-12 14:52 . 2013-02-28 21:07    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Nitro PDF
2013-02-12 14:51 . 2013-02-12 14:51    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files\Common Files\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\programdata\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files (x86)\Nitro
2013-02-12 14:50 . 2013-02-12 14:50    --------    d-----w-    c:\program files (x86)\Common Files\Nitro
2013-02-12 13:11 . 2013-02-12 13:11    --------    d-----w-    c:\windows\system32\appmgmt
2013-02-06 02:12 . 2013-02-06 02:12    203544    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
2013-02-06 02:12 . 2013-02-06 02:12    102936    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-02-02 12:45 . 2013-02-22 18:07    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\DMCache
2013-01-31 17:55 . 2013-01-14 17:00    29712    ----a-w-    c:\windows\system32\nitrolocalmon2.dll
2013-01-31 17:55 . 2013-01-14 17:00    17936    ----a-w-    c:\windows\system32\nitrolocalui2.dll
2013-01-31 17:53 . 2013-01-31 17:53    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Downloaded Installations
2013-01-31 16:17 . 2013-01-31 17:27    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\Audacity
2013-01-31 16:17 . 2013-01-31 17:09    --------    d-----w-    c:\program files (x86)\Audacity
2013-01-31 15:24 . 2013-01-31 15:24    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Local\Microsoft Help
2013-01-31 11:58 . 2013-01-31 11:58    --------    d-----w-    c:\program files (x86)\uTorrent
2013-01-31 11:57 . 2013-02-16 07:34    --------    d-----w-    c:\users\A Avinesh Benjamin\AppData\Roaming\uTorrent
2013-01-31 08:52 . 2011-12-15 14:59    31232    ----a-w-    c:\windows\system32\drivers\tap0901.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-21 14:30 . 2012-12-29 11:01    1490656    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-02-21 14:30 . 2012-12-29 11:01    1490656    ----a-w-    c:\windows\system32\drivers\WdfCoInstaller01007.dll
2013-02-14 08:34 . 2012-12-18 18:22    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-01-30 10:53 . 2010-11-21 03:27    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-14 08:20    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-21 10:01    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 16:28 . 2012-12-16 16:20    2243520    ----a-w-    c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-12-16 15:53 . 2012-12-16 15:53    74752    ----a-w-    c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-12-16 15:53 . 2012-12-16 15:53    161792    ----a-w-    c:\windows\SysWow64\msls31.dll
2012-12-16 15:53 . 2012-12-16 15:53    86528    ----a-w-    c:\windows\SysWow64\iesysprep.dll
2012-12-16 15:53 . 2012-12-16 15:53    76800    ----a-w-    c:\windows\SysWow64\SetIEInstalledDate.exe
2012-12-16 15:53 . 2012-12-16 15:53    74752    ----a-w-    c:\windows\SysWow64\iesetup.dll
2012-12-16 15:53 . 2012-12-16 15:53    63488    ----a-w-    c:\windows\SysWow64\tdc.ocx
2012-12-16 15:53 . 2012-12-16 15:53    48640    ----a-w-    c:\windows\SysWow64\mshtmler.dll
2012-12-16 15:53 . 2012-12-16 15:53    367104    ----a-w-    c:\windows\SysWow64\html.iec
2012-12-16 15:53 . 2012-12-16 15:53    23552    ----a-w-    c:\windows\SysWow64\licmgr10.dll
2012-12-16 15:53 . 2012-12-16 15:53    152064    ----a-w-    c:\windows\SysWow64\wextract.exe
2012-12-16 15:53 . 2012-12-16 15:53    110592    ----a-w-    c:\windows\SysWow64\IEAdvpack.dll
2012-12-16 15:53 . 2012-12-16 15:53    150528    ----a-w-    c:\windows\SysWow64\iexpress.exe
2012-12-16 15:53 . 2012-12-16 15:53    89088    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2012-12-16 15:53 . 2012-12-16 15:53    35840    ----a-w-    c:\windows\SysWow64\imgutil.dll
2012-12-16 15:53 . 2012-12-16 15:53    222208    ----a-w-    c:\windows\system32\msls31.dll
2012-12-16 15:53 . 2012-12-16 15:53    11776    ----a-w-    c:\windows\SysWow64\mshta.exe
2012-12-16 15:53 . 2012-12-16 15:53    101888    ----a-w-    c:\windows\SysWow64\admparse.dll
2012-12-16 15:53 . 2012-12-16 15:53    197120    ----a-w-    c:\windows\system32\msrating.dll
2012-12-16 15:53 . 2012-12-16 15:53    91648    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2012-12-16 15:53 . 2012-12-16 15:53    65024    ----a-w-    c:\windows\system32\pngfilt.dll
2012-12-16 15:53 . 2012-12-16 15:53    55296    ----a-w-    c:\windows\system32\msfeedsbs.dll
2012-12-16 15:53 . 2012-12-16 15:53    49664    ----a-w-    c:\windows\system32\imgutil.dll
2012-12-16 15:53 . 2012-12-16 15:53    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2012-12-16 15:53 . 2012-12-16 15:53    267776    ----a-w-    c:\windows\system32\ieaksie.dll
2012-12-16 15:53 . 2012-12-16 15:53    163840    ----a-w-    c:\windows\system32\ieakui.dll
2012-12-16 15:53 . 2012-12-16 15:53    160256    ----a-w-    c:\windows\system32\ieakeng.dll
2012-12-16 15:53 . 2012-12-16 15:53    149504    ----a-w-    c:\windows\system32\occache.dll
2012-12-16 15:53 . 2012-12-16 15:53    145920    ----a-w-    c:\windows\system32\iepeers.dll
2012-12-16 15:53 . 2012-12-16 15:53    135168    ----a-w-    c:\windows\system32\IEAdvpack.dll
2012-12-16 15:53 . 2012-12-16 15:53    12288    ----a-w-    c:\windows\system32\mshta.exe
2012-12-16 15:53 . 2012-12-16 15:53    114176    ----a-w-    c:\windows\system32\admparse.dll
2012-12-16 15:53 . 2012-12-16 15:53    111616    ----a-w-    c:\windows\system32\iesysprep.dll
2012-12-16 15:53 . 2012-12-16 15:53    10752    ----a-w-    c:\windows\system32\msfeedssync.exe
2012-12-16 15:53 . 2012-12-16 15:53    76800    ----a-w-    c:\windows\system32\tdc.ocx
2012-12-16 15:53 . 2012-12-16 15:53    452608    ----a-w-    c:\windows\system32\dxtmsft.dll
2012-12-16 15:53 . 2012-12-16 15:53    448512    ----a-w-    c:\windows\system32\html.iec
2012-12-16 15:53 . 2012-12-16 15:53    282112    ----a-w-    c:\windows\system32\dxtrans.dll
2012-12-16 15:53 . 2012-12-16 15:53    3695416    ----a-w-    c:\windows\system32\ieapfltr.dat
2012-12-16 15:53 . 2012-12-16 15:53    534528    ----a-w-    c:\windows\system32\ieapfltr.dll
2012-12-16 15:53 . 2012-12-16 15:53    89088    ----a-w-    c:\windows\system32\ie4uinit.exe
2012-12-16 15:53 . 2012-12-16 15:53    85504    ----a-w-    c:\windows\system32\iesetup.dll
2012-12-16 15:53 . 2012-12-16 15:53    82432    ----a-w-    c:\windows\system32\icardie.dll
2012-12-16 15:53 . 2012-12-16 15:53    403248    ----a-w-    c:\windows\system32\iedkcs32.dll
2012-12-16 15:53 . 2012-12-16 15:53    39936    ----a-w-    c:\windows\system32\iernonce.dll
2012-12-16 15:53 . 2012-12-16 15:53    30720    ----a-w-    c:\windows\system32\licmgr10.dll
2012-12-16 15:53 . 2012-12-16 15:53    249344    ----a-w-    c:\windows\system32\webcheck.dll
2012-12-16 15:53 . 2012-12-16 15:53    103936    ----a-w-    c:\windows\system32\inseng.dll
2012-12-16 15:53 . 2012-12-16 15:53    165888    ----a-w-    c:\windows\system32\iexpress.exe
2012-12-16 15:53 . 2012-12-16 15:53    160256    ----a-w-    c:\windows\system32\wextract.exe
2012-12-16 15:53 . 2012-12-16 15:53    108008    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-16 15:53 . 2012-12-16 15:53    289768    ----a-w-    c:\windows\system32\javaws.exe
2012-12-16 15:53 . 2012-12-16 15:53    189416    ----a-w-    c:\windows\system32\javaw.exe
2012-12-16 15:53 . 2012-12-16 15:53    188904    ----a-w-    c:\windows\system32\java.exe
2012-12-16 15:53 . 2012-12-16 14:45    916456    ----a-w-    c:\windows\system32\deployJava1.dll
2012-12-16 15:53 . 2012-12-16 14:45    1034216    ----a-w-    c:\windows\system32\npDeployJava1.dll
2012-12-16 14:45 . 2012-12-21 10:01    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:01    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 10:01    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-14 11:19 . 2012-12-29 13:43    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-13 21:12 . 2012-12-13 21:12    9728    ----a-w-    c:\windows\system32\IGFXDEVLib.dll
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrnor.lrc
2012-12-13 21:12 . 2012-12-13 21:12    384512    ----a-w-    c:\windows\system32\igfxpph.dll
2012-12-13 21:12 . 2012-12-13 21:12    12615680    ----a-w-    c:\windows\system32\igdumd64.dll
2012-12-13 21:12 . 2012-12-16 13:09    64000    ----a-w-    c:\windows\system32\igfxsrvc.dll
2012-12-13 21:12 . 2012-12-16 13:09    110592    ----a-w-    c:\windows\system32\hccutils.dll
2012-12-13 21:12 . 2012-12-13 21:12    64512    ----a-w-    c:\windows\SysWow64\igdde32.dll
2012-12-13 21:12 . 2012-12-13 21:12    440320    ----a-w-    c:\windows\system32\igfxrell.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrptb.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437248    ----a-w-    c:\windows\system32\igfxrtha.lrc
2012-12-13 21:12 . 2012-12-13 21:12    435712    ----a-w-    c:\windows\system32\igfxrheb.lrc
2012-12-13 21:12 . 2012-12-13 21:12    435712    ----a-w-    c:\windows\system32\igfxrara.lrc
2012-12-13 21:12 . 2012-12-13 21:12    431104    ----a-w-    c:\windows\system32\igfxrkor.lrc
2012-12-13 21:12 . 2012-12-13 21:12    429056    ----a-w-    c:\windows\system32\igfxrcht.lrc
2012-12-13 21:12 . 2012-12-13 21:12    330752    ----a-w-    c:\windows\SysWow64\igfxdv32.dll
2012-12-13 21:12 . 2012-12-13 21:12    28672    ----a-w-    c:\windows\system32\igfxexps.dll
2012-12-13 21:12 . 2012-10-09 20:52    11174912    ----a-w-    c:\windows\SysWow64\igd10umd32.dll
2012-12-13 21:12 . 2012-12-13 21:12    640512    ----a-w-    c:\windows\SysWow64\igfxcmrt32.dll
2012-12-13 21:12 . 2012-12-13 21:12    512112    ----a-w-    c:\windows\system32\igfxsrvc.exe
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrnld.lrc
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrdeu.lrc
2012-12-13 21:12 . 2012-12-13 21:12    3121152    ----a-w-    c:\windows\SysWow64\igfxcmjit32.dll
2012-12-13 21:12 . 2012-12-13 21:12    255088    ----a-w-    c:\windows\system32\igfxext.exe
2012-12-13 21:12 . 2012-12-13 21:12    13030400    ----a-w-    c:\windows\system32\ig4icd64.dll
2012-12-13 21:12 . 2012-12-16 13:09    12858368    ----a-w-    c:\windows\system32\igd10umd64.dll
2012-12-13 21:12 . 2012-12-13 21:12    9007616    ----a-w-    c:\windows\system32\igfxress.dll
2012-12-13 21:12 . 2012-12-13 21:12    483840    ----a-w-    c:\windows\system32\igfx11cmrt64.dll
2012-12-13 21:12 . 2012-12-13 21:12    439808    ----a-w-    c:\windows\system32\igfxresn.lrc
2012-12-13 21:12 . 2012-12-13 21:12    437760    ----a-w-    c:\windows\system32\igfxrtrk.lrc
2012-12-13 21:12 . 2012-12-13 21:12    428544    ----a-w-    c:\windows\system32\igfxrchs.lrc
2012-12-13 21:12 . 2012-12-13 21:12    80384    ----a-w-    c:\windows\system32\igdde64.dll
2012-12-13 21:12 . 2012-12-13 21:12    459264    ----a-w-    c:\windows\SysWow64\igfx11cmrt32.dll
2012-12-13 21:12 . 2012-12-13 21:12    439296    ----a-w-    c:\windows\system32\igfxrrus.lrc
2012-12-13 21:12 . 2012-12-13 21:12    438784    ----a-w-    c:\windows\system32\igfxrptg.lrc
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-13 283160]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
c:\users\A Avinesh Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
86fa.js [2013-3-1 47437]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-06 102936]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [x]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-02-27 36680]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-06 203544]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-19 1255736]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [2012-11-13 14544]
S0 SMR311;Symantec SMR Utility Service 3.1.1;c:\windows\System32\drivers\SMR311.SYS [2013-02-27 95392]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1402010.016\SYMDS64.SYS [2012-10-04 493216]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1402010.016\SYMEFA64.SYS [2012-10-04 1133216]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130208.001\BHDrvx64.sys [2013-02-07 1388120]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1402010.016\ccSetx64.sys [2012-08-20 168096]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130227.001\IDSvia64.sys [2013-02-26 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1402010.016\Ironx64.SYS [2012-09-07 224416]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1402010.016\SYMNETS.SYS [2012-09-07 432800]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 IaStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-13 13336]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [2012-12-05 143928]
S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2013-01-14 230416]
S2 NuTCRACKERService;NuTCRACKER Service;c:\windows\SysWOW64\nutsrv4.exe [2001-01-02 277272]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-31 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-18 138912]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-03-02 1142376]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1633803546-3914405238-1997943089-1000Core.job
- c:\users\A Avinesh Benjamin\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 14:56]
.
2013-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1633803546-3914405238-1997943089-1000UA.job
- c:\users\A Avinesh Benjamin\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 14:56]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-13 441968]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.42.129
TCP: Interfaces\{8FAE3489-E4A7-441A-9CBD-8C4FC0A8E17A}\14E64627F69646140553532393: NameServer = 208.67.220.222,208.67.222.220
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.2.1.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-01  13:43:04
ComboFix-quarantined-files.txt  2013-03-01 08:13
ComboFix2.txt  2013-03-01 07:55
.
Pre-Run: 129,174,421,504 bytes free
Post-Run: 129,141,075,968 bytes free
.
- - End Of File - - 2B9A22EFA0A2772CCB56AEF3CDAC758D
 
 
 
Did this after terminating wscript.exe
 
Still wscript.exe is running

Midou

#14 midou1994

midou1994
  • Topic Starter

  • Members
  • 251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:36 PM

Posted 01 March 2013 - 03:58 AM

Hi Deleted the folder c6 c7 and deleted the startup file in safe mode wscript.exe no longer starts but an instance of rundll32.exe is running for no reason


Midou

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 01 March 2013 - 08:55 AM

The rundll32.exe process is responsible for running DLLs and placing its libraries in the memory.

 

It may be required by other programs.

 

What other issues are pending?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users