Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected? Combofix log


  • This topic is locked This topic is locked
5 replies to this topic

#1 bcnv

bcnv

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 01 March 2013 - 11:35 PM

I disabled Remote Desktop Services via msconfig from day 0 of my Windows reinstallation months ago, but something on my computer appeared to have re-enabled it, and even set it to "automatic startup," based on my Services.msc settings.

 

In addition, I am seeing network traffic (Wireshark) of several foreign IPs on my laptop.  Kaspersky claims they are theirs, but there are about 15 IPs.  I see IPs from similar subnets trying to do inbound sessions on my router firewall through port 3389 (remote desktop) and port 22 (SSH).

 

A GMER scan on this laptop was negative for rootkits (but did show alterations on my other laptop, which I'll post separately). Pasted below is my Combofix scan.  Can someone please let me know if there's anything suspect and/or how to interpret this?  Any other suggestions before I reinstall Windows this weekend?  Thanks!

 

ComboFix 13-02-23.01 - Michael 02/23/2013  17:56:04.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4044.2323 [GMT -6:00]
Running from: c:\users\Michael\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
FW: Kaspersky Internet Security *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky Internet Security *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Coupon Companion Plugin\CoUPon companion plugin.dll
c:\program files (x86)\Windows Live\Messenger\msacm32.dll
c:\users\Mike\g2mdlhlpx.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-24 to 2013-02-24  )))))))))))))))))))))))))))))))
.
.
2013-02-24 00:00 . 2013-02-24 00:00    --------    d-----w-    c:\users\Michael\AppData\Local\temp
2013-02-24 00:00 . 2013-02-24 00:00    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\users\Mike\AppData\Roaming\Iminent
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\programdata\Iminent
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\program files (x86)\Common Files\Umbrella
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\program files (x86)\Iminent
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\users\Michael\AppData\Local\Coupon Companion Plugin
2013-02-23 23:47 . 2013-02-23 23:47    --------    d-----w-    c:\users\Michael\AppData\Local\Updater21804
2013-02-23 23:46 . 2013-02-24 00:00    --------    d-----w-    c:\program files (x86)\Coupon Companion Plugin
2013-02-23 23:03 . 2013-02-23 23:03    388096    ----a-r-    c:\users\Michael\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-23 21:13 . 2013-02-23 21:13    388096    ----a-r-    c:\users\Mike\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-23 21:13 . 2013-02-23 21:13    --------    d-----w-    c:\program files (x86)\Trend Micro
2013-02-23 07:52 . 2013-02-23 07:52    --------    d-----w-    c:\users\Mike\AppData\Roaming\Nitro
2013-02-23 07:52 . 2013-02-23 07:52    --------    d-----w-    c:\users\Mike\AppData\Roaming\FileOpen
2013-02-23 07:50 . 2013-02-23 07:50    --------    d-----w-    c:\users\Michael\AppData\Roaming\Nitro
2013-02-23 07:50 . 2013-02-23 07:50    --------    d-----w-    c:\users\Michael\AppData\Roaming\FileOpen
2013-02-23 07:50 . 2013-02-23 07:50    --------    d-----w-    c:\programdata\FileOpen
2013-02-23 07:50 . 2012-10-31 01:10    17936    ----a-w-    c:\windows\system32\nitrolocalui2.dll
2013-02-23 07:50 . 2012-10-31 01:10    29712    ----a-w-    c:\windows\system32\nitrolocalmon2.dll
2013-02-23 07:49 . 2013-02-23 07:49    --------    d-----w-    c:\program files\Common Files\Nitro
2013-02-23 07:49 . 2013-02-23 07:49    --------    d-----w-    c:\programdata\Nitro
2013-02-23 07:49 . 2013-02-23 07:49    --------    d-----w-    c:\program files (x86)\Nitro
2013-02-23 07:49 . 2013-02-23 07:49    --------    d-----w-    c:\program files (x86)\Common Files\Nitro
2013-02-23 07:49 . 2013-02-23 07:53    --------    d-----w-    c:\users\Mike\AppData\Roaming\PrimoPDF
2013-02-23 07:49 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C46C735-35D9-4724-AE52-7BE24445BDA1}\mpengine.dll
2013-02-23 07:48 . 2013-02-23 07:48    --------    d-----w-    c:\users\Michael\AppData\Roaming\OpenCandy
2013-02-23 07:48 . 2011-02-28 22:37    95008    ----a-w-    c:\windows\system32\Primomonnt.dll
2013-02-23 07:48 . 2013-02-23 07:48    --------    d-----w-    c:\program files (x86)\Nitro PDF
2013-02-21 07:56 . 2013-02-21 07:56    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-21 07:56 . 2013-02-21 07:56    --------    d-----w-    c:\program files (x86)\Java
2013-02-21 06:55 . 2013-02-08 00:28    9162192    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-02-19 06:34 . 2013-02-19 06:34    --------    d-----w-    c:\users\Michael\AppData\Roaming\Symantec
2013-02-13 22:35 . 2013-02-13 22:35    972264    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BFE9642F-F629-420D-ACAE-DEB2489D31E5}\gapaengine.dll
2013-02-13 22:31 . 2013-02-14 23:07    --------    d-----w-    c:\program files (x86)\Microsoft Security Client
2013-02-13 22:31 . 2013-02-14 23:07    --------    d-----w-    c:\program files\Microsoft Security Client
2013-02-13 22:14 . 2012-08-23 15:09    3072    ----a-w-    c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2013-02-13 22:14 . 2012-08-23 13:41    13312    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-02-13 22:14 . 2012-08-23 13:40    13312    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2013-02-13 22:14 . 2012-08-23 13:24    15360    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2013-02-13 22:14 . 2012-08-23 14:10    19456    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2013-02-13 22:14 . 2012-08-23 14:08    30208    ----a-w-    c:\windows\system32\drivers\TsUsbGD.sys
2013-02-13 22:14 . 2012-08-23 14:07    57856    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2013-02-13 09:03 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 09:03 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 01:24 . 2013-01-05 05:53    5553512    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-13 01:24 . 2013-01-05 05:00    3967848    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 01:24 . 2013-01-05 05:00    3913064    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 01:24 . 2013-01-04 03:26    3153408    ----a-w-    c:\windows\system32\win32k.sys
2013-02-13 01:24 . 2013-01-04 05:46    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-13 01:24 . 2013-01-04 04:51    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2013-02-13 01:24 . 2013-01-04 02:47    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2013-02-13 01:24 . 2013-01-04 02:47    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2013-02-13 01:24 . 2013-01-04 02:47    2048    ----a-w-    c:\windows\SysWow64\user.exe
2013-02-13 01:24 . 2013-01-04 02:47    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2013-02-13 01:23 . 2013-01-03 06:00    1913192    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-13 01:23 . 2013-01-03 06:00    288088    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-12 19:11 . 2013-02-12 19:11    --------    d-----w-    c:\users\Michael\AppData\Local\AuthenTec
2013-02-12 17:23 . 2012-05-25 18:14    57976    ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
2013-02-12 17:23 . 2012-05-25 18:14    45936    ----a-w-    c:\windows\system32\sbbd.exe
2013-02-12 17:16 . 2013-02-12 18:17    --------    d-----w-    C:\VIPRERESCUE
2013-02-12 17:13 . 2013-02-12 17:16    --------    d-----w-    c:\program files (x86)\stinger
2013-02-12 17:05 . 2013-02-12 17:05    --------    d-----w-    c:\programdata\IObit
2013-02-12 17:05 . 2013-02-12 17:05    --------    d-----w-    c:\users\Michael\AppData\Roaming\IObit
2013-02-12 17:05 . 2013-02-12 17:05    --------    d-----w-    c:\program files (x86)\IObit
2013-02-12 16:59 . 2013-02-13 22:22    --------    d-----w-    c:\programdata\HitmanPro
2013-02-06 09:05 . 2013-02-06 09:05    --------    d-----w-    c:\programdata\Colasoft Capsa 7 Free
2013-02-06 09:01 . 2013-02-06 09:01    --------    d-----w-    c:\users\Michael\AppData\Roaming\Colasoft MAC Scanner
2013-02-06 09:01 . 2013-02-06 09:01    --------    d-----w-    c:\program files (x86)\Common Files\Colasoft Shared
2013-02-06 09:01 . 2013-02-06 09:01    --------    d-----w-    c:\users\Michael\AppData\Roaming\Colasoft Capsa 7 - Free Edition
2013-02-06 08:59 . 2012-10-24 20:49    34840    ----a-w-    c:\windows\system32\drivers\CSN5PDTS82x64.sys
2013-02-06 08:59 . 2013-02-06 09:05    --------    d-----w-    c:\program files (x86)\Colasoft Capsa 7 Free Edition
2013-02-06 02:14 . 2013-02-01 18:22    262552    ----a-w-    c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-21 07:56 . 2012-11-14 09:11    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-02-21 07:56 . 2012-11-14 09:11    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-02-13 09:06 . 2012-04-26 05:45    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-02-12 20:37 . 2012-04-27 07:44    697712    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-12 20:37 . 2011-10-18 00:39    74096    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-30 10:53 . 2010-11-21 03:27    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-20 21:59 . 2013-01-20 21:59    230320    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-01-20 21:59 . 2013-01-20 21:59    130008    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-04 04:43 . 2013-02-13 01:24    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 21:18 . 2012-12-16 21:18    77004    ----a-w-    c:\windows\SysWow64\drivers\AFS.SYS
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp53515.FOT
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp52515.FOT
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp46515.FOT
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp45515.FOT
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp38515.FOT
2012-12-16 21:08 . 2012-12-16 21:08    1409    ----a-w-    c:\windows\SysWow64\tmp29515.FOT
2012-12-16 17:11 . 2012-12-20 19:34    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-20 19:34    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-20 19:34    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-20 19:34    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-07 13:20 . 2013-01-09 14:20    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 14:20    2746368    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 14:20    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 14:20    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 14:20    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 14:20    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 14:20    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 14:20    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 14:20    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 14:20    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 14:20    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 14:20    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 14:20    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 14:20    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 14:20    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 14:20    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 14:20    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 14:20    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 14:20    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 14:20    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 14:20    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 14:20    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 14:20    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 14:20    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 14:20    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 14:20    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-12-07 10:46 . 2013-01-09 14:20    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-11-30 05:45 . 2013-01-09 14:19    362496    ----a-w-    c:\windows\system32\wow64win.dll
2012-11-30 05:45 . 2013-01-09 14:19    243200    ----a-w-    c:\windows\system32\wow64.dll
2012-11-30 05:45 . 2013-01-09 14:19    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2012-11-30 05:43 . 2013-01-09 14:19    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2012-11-30 05:41 . 2013-01-09 14:19    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2012-11-30 05:41 . 2013-01-09 14:19    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2012-11-30 05:38 . 2013-01-09 14:19    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 04:53 . 2013-01-09 14:19    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 14:19    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner64.exe" [2012-10-24 5435744]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-10-08 169528]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"Share-to-Web Namespace Daemon"="c:\program files (x86)\Hewlett-Packard Scanner\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Iminent"="c:\program files (x86)\Iminent\Iminent.exe" [2013-01-25 1074736]
"IminentMessenger"="c:\program files (x86)\Iminent\Iminent.Messengers.exe" [2013-01-25 884784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 AFS;AFS; [x]
R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-08-29 339048]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-26 1255736]
R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82x64.sys [2012-10-24 34840]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2012-08-02 28504]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys [2012-11-14 54104]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys [2012-08-13 178008]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2012-05-25 57976]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-10-27 237400]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-10-27 119640]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2012\TrueSuiteService.exe [2011-08-26 260424]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-10 86072]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2012-03-14 197504]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-03-05 35200]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-08-29 2424424]
S2 IMFservice;IMF Service;c:\program files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2012-01-10 821592]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2012-10-31 230416]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
S2 SProtection;SProtection;c:\program files (x86)\Common Files\Umbrella\umbrella.exe [2013-01-25 2663976]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-22 2656280]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys [2012-10-25 29016]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2012-10-25 29528]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-07-19 1145448]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-10-27 131416]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-10-27 146264]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PROCEXP152
*Deregistered* - PROCEXP152
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-06 00:49    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 20:37]
.
2013-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-14 08:44]
.
2013-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-14 08:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-15 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-15 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-15 416024]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-09-08 1424896]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.100.254
FF - ProfilePath - c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\t0xcjedz.default\
FF - ExtSQL: 2013-02-23 17:46; extension21804@extension21804.com; c:\users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\t0xcjedz.default\extensions\extension21804@extension21804.com
FF - ExtSQL: 2013-02-23 17:47; webbooster@iminent.com; c:\program files (x86)\Iminent\webbooster@iminent.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{11111111-1111-1111-1111-110211181104} - c:\program files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-08129408.sys
HKLM_Wow6432Node-ActiveSetup-{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2518870 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2572078 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2604121 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2633870 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2656351 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2656368 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2656368v2 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2656405 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2686827 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2729449 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2737019 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2742595 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
AddRemove-{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2789642 - c:\windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-23  18:04:00
ComboFix-quarantined-files.txt  2013-02-24 00:04
.
Pre-Run: 406,305,628,160 bytes free
Post-Run: 406,759,145,472 bytes free
.
- - End Of File - - 9E4CC36C373C085CC6FB38B61B0D84AC
 

Attached Files



BC AdBot (Login to Remove)

 


#2 bcnv

bcnv
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 02 March 2013 - 02:30 PM

Any insights or suggestions?  Please help... Thanks



#3 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:40 PM

Posted 04 March 2013 - 03:30 PM

Greetings bcnv and Welcome to the forums,

 

A couple things of note...first, I'd like to ask the color code of these "suspect" wireshark entries. I should also point out that you have both Microsoft Security Essentials and Kaspersky Internet Security installed. Actually, and quite frankly, for home users, Windows 7 built-in firewall along with Microsoft Security Essentials is just fine. However, if you spent money for the Kaspersky suite (as it is quite expensive) then I would keep that until it expires and uninstall MSE. At any rate, one of them needs to go.

 

I might also point out that running combofix on your own implies to us that you KNOW what you are doing since the disclaimer is rather simple and easy to understand. If, however, you don't then I'd like to see the other three combofix logs. You did take note, did you not, that combofix removed a file (in the log you posted) that is related to the program "GoToMeeting"? Installation of this program is WHY you found your remote desktop settings changed to automatic.

 

Anyway... along with the three other combofix logs, would you navigate to the qoobox folder and open the Add-Remove Programs.txt file? Copy it's contents and post them here on your next reply. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#4 bcnv

bcnv
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 04 March 2013 - 04:08 PM

The color code of the suspect Wireshark entries was mostly grey.  There may have been one that was green also.  What does grey vs green mean?

 

I initially only had KIS installed, and then when the Microsoft store scanned my machine 2 weeks ago, they added MSE (without my permission).  After that, I decided to keep it temporarily for now, and I deactivated KIS from starting up (via msconfig).  I did notice less strange IP traffic upon doing that.

 

yes, I saw GoToMeeting in the control panel, but the installation date was late November, which was much later than my initial Windows reinstall of 4/25/12, which is when the RDS events started. In any case, that program supposedly doesn't use RDS per se.

 

Unfortunately, I can't send the Add-Remove.txt file because it's no longer on my HD, because I needed to clean the network, so I went ahead and reinstalled the laptop again last night. Since then, RDS has stayed at "manual" in my Services, but we'll see...

 

But I still appreciate your reply and any other thoughts.  Thanks.



#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:40 PM

Posted 04 March 2013 - 04:20 PM

I'm only familiar with the color codes green, blue and black...to my knowledge, those are the only color codes used in wireshark. Green represents tcp traffic, dark blue is dns traffic, light blue, udp and black represents tcp packets with problems.

 

By the way, it makes no difference WHEN GoToMeeting was installed...the fact that it is can create a tunnel for some kid with time on his hands, to hack the password and take over your system. It's now a moot point though since you have already reinstalled the system once more.

 

For now, we will consider this a closed/resolved issue. Come see us again if the need arrises.

 

Warm regards,

vet


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:40 PM

Posted 04 March 2013 - 04:23 PM

This issue appears resolved by the member, from having reinstalled the operating system.

This thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users