Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Flash / USB Drive Virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 CanRaps

CanRaps

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 09 April 2013 - 11:00 AM

Hello,

 

Yesterday one of the colleagues at work plugged a flash drive to a PC that was infected with virus. What the virus did to to usb drive was:

 

Put all the files-folders of usb drive into an unnamed folder in usb drive itself and embed that with virus so that If the user had to retrieve files in Windows environment then the computer gets infected. Thanks to smart colleague, he did the same in order to reach the files. After he understood he was infected he asked for my help.

 

Because i was a little experienced in this subject. I ran some tools like Hijackthis and noticed the virus was running a com file, I have restart the PC in command prompt with safe mode enabled and was succeeded to delete that file. So it seems that the pc is not spreading any viruses to other usb drives. But the thing is although i remove the line from Registry using hijackthis it keeps being re added and its a sign of somehow some malicious thing is present in pc and i cant find it.

 

So I'm here looking for help. I've read the posting tutorial. I won't be able to reply rightaway to any requests from admins/moderators so please be patient with me. Thanks for your patience.

 

* I replaced computer name with TTTTTTT in order to keep it conf.

 

And here is the dds.txt paste and the attachment is ready:

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by TTTTTTT at 18:47:54 on 2013-04-09
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2047.1238 [GMT 3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\hasplms.exe
C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\sppsvc.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.tr/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mExplorerRun: [49674] C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe
StartupFolder: C:\Users\TTTTTTTTT\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{13BD49FE-6000-4336-9372-0DA1DC42331A} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 aksdf;aksdf;C:\Windows\System32\drivers\aksdf.sys [2012-5-5 75648]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2012-4-16 21992]
R2 hasplms;Sentinel HASP License Manager;C:\Windows\System32\hasplms.exe  -run --> C:\Windows\System32\hasplms.exe  -run [?]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-3-22 204296]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-3-22 69640]
R2 Sentinel64;Sentinel64;C:\Windows\System32\drivers\sentinel64.sys [2012-4-23 145448]
R3 RTL8167;Realtek 8167 NT Sürücüsü;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-4-17 1431888]
S3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;C:\Windows\System32\drivers\SNTUSB64.SYS [2010-10-20 59048]
S3 StorSvc;Depolama Hizmeti;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADLTScriptFile=C:\Windows\System32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2013-04-09 05:53:28 0 ----a-w- C:\Windows\SysWow64\w7ddzvk.dll
2013-04-08 15:52:10 -------- d-sh--w- C:\$RECYCLE.BIN
2013-04-08 15:26:40 98816 ----a-w- C:\Windows\sed.exe
2013-04-08 15:26:40 256000 ----a-w- C:\Windows\PEV.exe
2013-04-08 15:26:40 208896 ----a-w- C:\Windows\MBR.exe
2013-04-08 06:19:10 -------- d-----w- C:\Temp
.
==================== Find3M  ====================
.
2013-04-09 08:35:06 100 ----a-w- C:\Windows\SysWow64\prsgrc.dll
2013-03-13 08:52:49 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 08:52:49 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 18:48:17.07 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:27 AM

Posted 09 April 2013 - 02:11 PM

Hello and welcome to BleepingComputer! 
 
 
 
I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce. 
 
 
As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us. 
 
If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature). 
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.
 
 
 
Please generate other DDS logs (download it from here if you haven't already) and post them in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link:http://www.gmer.net/gmer.zip
 
 
 
Thank you very much for your patience. 
 
 
 
 
Regards,
 
Elle

Edited by Blind Faith, 09 April 2013 - 02:13 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 CanRaps

CanRaps
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 10 April 2013 - 04:22 AM

Thank you very much for your assistance Elle. I will re run dds and paste dds.txt and attach attach.txt and i will also paste gmer log output. 

One problem is that its work PC and it has to be used through day, but the colleague is not doing anything virus related.

 

* Also like ive said the Pc name has been changed to TTTTTTTT

 

 

--------------------------------------------------------------------------------------

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.17.2
Run by TTTTTTT at 12:15:51 on 2013-04-10
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2047.1218 [GMT 3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\hasplms.exe
C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TTTTTTT\AppData\Local\Google\Chrome\Application\chrome.exe
\\TTTTTTTTT\paylaşim klasörü\CAN\Anti-Virus Recovery Tools\dds.com
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.tr/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mExplorerRun: [49674] C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe
StartupFolder: C:\Users\TTTTTTTT\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{13BD49FE-6000-4336-9372-0DA1DC42331A} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 aksdf;aksdf;C:\Windows\System32\drivers\aksdf.sys [2012-5-5 75648]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-2-2 18656]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2012-4-16 21992]
R2 hasplms;Sentinel HASP License Manager;C:\Windows\System32\hasplms.exe  -run --> C:\Windows\System32\hasplms.exe  -run [?]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-3-22 204296]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-3-22 69640]
R2 Sentinel64;Sentinel64;C:\Windows\System32\drivers\sentinel64.sys [2012-4-23 145448]
R3 RTL8167;Realtek 8167 NT Sürücüsü;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
R3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;C:\Windows\System32\drivers\SNTUSB64.SYS [2010-10-20 59048]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-4-17 1431888]
S3 StorSvc;Depolama Hizmeti;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADLTScriptFile=C:\Windows\System32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2013-04-09 16:08:53 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-04-09 16:08:48 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-09 05:53:28 0 ----a-w- C:\Windows\SysWow64\w7ddzvk.dll
2013-04-08 15:52:10 -------- d-sh--w- C:\$RECYCLE.BIN
2013-04-08 15:26:40 98816 ----a-w- C:\Windows\sed.exe
2013-04-08 15:26:40 256000 ----a-w- C:\Windows\PEV.exe
2013-04-08 15:26:40 208896 ----a-w- C:\Windows\MBR.exe
2013-04-08 06:19:10 -------- d-----w- C:\Temp
.
==================== Find3M  ====================
.
2013-04-10 07:39:05 100 ----a-w- C:\Windows\SysWow64\prsgrc.dll
2013-04-09 16:08:39 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-13 08:52:49 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 08:52:49 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 12:16:10.91 ===============
 
 
 
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-04-10 12:21:52
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 ST3320620AS rev.3.AAK 298.09GB
Running: gmer.exe; Driver: C:\Users\TTTTTTTTT\AppData\Local\Temp\ugddipog.sys
 
 
---- Threads - GMER 2.1 ----
 
Thread  C:\Windows\System32\spoolsv.exe [1128:1624]                     000007fef8a510c8
Thread  C:\Windows\System32\spoolsv.exe [1128:1628]                     000007fef8a16144
Thread  C:\Windows\System32\spoolsv.exe [1128:1632]                     000007fef8325fd0
Thread  C:\Windows\System32\spoolsv.exe [1128:1636]                     000007fef8953438
Thread  C:\Windows\System32\spoolsv.exe [1128:1640]                     000007fef83263ec
Thread  C:\Windows\System32\spoolsv.exe [1128:1648]                     000007fef9c85e5c
Thread  C:\Windows\System32\spoolsv.exe [1128:1652]                     000007fef9d35090
Thread  C:\Windows\system32\svchost.exe [1160:1748]                     000007fef81d35c0
Thread  C:\Windows\system32\svchost.exe [1160:2460]                     000007fef81d5600
Thread  C:\Windows\system32\svchost.exe [1160:2532]                     000007fef3fb2888
Thread  C:\Windows\system32\svchost.exe [1160:2548]                     000007fef3fa2940
Thread  C:\Windows\system32\svchost.exe [1160:2096]                     000007fef3fb2a40
Thread  C:\Windows\system32\taskhost.exe [1344:1460]                    000007fef9471f38
Thread  C:\Windows\system32\Dwm.exe [1404:1464]                         000007fef983f0d8
Thread  C:\Windows\system32\Dwm.exe [1404:1468]                         000007fef8d8abf0
Thread  C:\Windows\System32\svchost.exe [2000:1316]                     000007fef6ed9688
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [2664:2948]  000007fefb382ab8
 
---- EOF - GMER 2.1 ----
 
 
 
 

 

 

 

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:27 AM

Posted 10 April 2013 - 02:13 PM

Hi there,

 

 

The issue is that the system we would be working with belongs to an office, more specific to a company. It is the duty of the tech support to take care of such issues especially since the computer security and work conditions are mostly offered by them.

The infection was not due to your direct implication and therefore I suggest that the best sollution is contacting the tech support at your company. They are familiar with their systems and able to solve this issue properly. 

 

 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 CanRaps

CanRaps
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 11 April 2013 - 12:52 AM

Hi Elle, This is actually a very small business. Only 4 people work here and we have a boss. No Tech support. If you cannot be able to help me, I require someone elses assistance please.


Edited by CanRaps, 11 April 2013 - 12:55 AM.


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:27 AM

Posted 11 April 2013 - 04:34 AM

Hi there,

 

Taking into consideration the given circumstance, I will help. :) I understood now.

 

 

 

Please download ComboFix from one of these locations:
 
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.
     

    Query_RC.gif

     
     
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     

    RC_successful.gif

     
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.
     
     
     
     
     
     
     
    Elle 

    Edited by Blind Faith, 11 April 2013 - 04:34 AM.

    Can you hear it?It's all around!

    Tomar ki manè acchè?
    Yadi thakè, tahalè
    Ki kshama kartè paro
    ?



    If I haven't replied in 48 hours, please feel free to send me a PM.



    Posted Image

    #7 CanRaps

    CanRaps
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:05:27 AM

    Posted 11 April 2013 - 10:17 AM

    ComboFix 13-04-10.02 - TTTTTTT 11.04.2013  18:07:30.2.2 - x64
    Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2047.1218 [GMT 3:00]
    Running from: c:\users\TTTTTTT\Desktop\antivirus\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
     * Created a new restore point
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\prsgrc.dll
    c:\windows\SysWow64\w7ddzvk.dll
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-11 to 2013-04-11  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-11 15:11 . 2013-04-11 15:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-09 16:09 . 2013-04-09 16:09 -------- d-----w- c:\program files (x86)\Common Files\Java
    2013-04-09 16:08 . 2013-04-09 16:08 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2013-04-09 16:08 . 2013-04-09 16:08 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-04-09 16:08 . 2013-04-09 16:08 -------- d-----w- c:\program files (x86)\Java
    2013-04-08 06:19 . 2013-04-08 06:19 -------- d-----w- c:\programdata\Local Settings
    2013-04-08 06:19 . 2013-04-08 06:19 -------- d-----w- C:\Temp
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-09 16:08 . 2012-04-16 11:52 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2013-03-13 08:52 . 2012-04-17 06:33 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 08:52 . 2012-04-17 06:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-05-04 12:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    c:\users\TTTTTTT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-04-17 1431888]
    R3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;c:\windows\system32\DRIVERS\SNTUSB64.SYS [2010-10-20 59048]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2010-07-27 75648]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]
    S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe  -run [x]
    S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-03-22 204296]
    S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-03-22 69640]
    S2 Sentinel64;Sentinel64;c:\windows\System32\Drivers\Sentinel64.sys [2009-09-17 145448]
    S3 RTL8167;Realtek 8167 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 08:52]
    .
    2013-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000Core.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    2013-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000UA.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com.tr/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    Wow6432Node-HKLM-Explorer_Run-49674 - c:\progra~3\LOCALS~1\Temp\msacysuzy.exe
    AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-11  18:13:45
    ComboFix-quarantined-files.txt  2013-04-11 15:13
    .
    Pre-Run: 74,974,371,840 bayt boş
    Post-Run: 74,836,705,280 bayt boş
    .
    - - End Of File - - AA0FFE4F430702A6E27E485462CCC258


    #8 Blind Faith

    Blind Faith

    • Malware Response Team
    • 4,101 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:05:27 AM

    Posted 11 April 2013 - 01:15 PM

    Hi there,

     

     

     

    I don't see an Anti Virus Program running on your machine
     
    Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Three good antivirus programs free for non-commercial home use are http://www.avast.com/eng/avast_4_home.html, http://www.free-av.com/ and http://www.microsoft.com/Security_Essentials
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

     

     

    How is the system behaving now?And improvements?

     

     

     

     

     

    Elle


    Can you hear it?It's all around!

    Tomar ki manè acchè?
    Yadi thakè, tahalè
    Ki kshama kartè paro
    ?



    If I haven't replied in 48 hours, please feel free to send me a PM.



    Posted Image

    #9 CanRaps

    CanRaps
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:05:27 AM

    Posted 16 April 2013 - 01:26 AM

    Hi Elle, because i was on a business trip i didnt have any chance to install antivirus yet. Like i said, there is nothing wrong with the system, its just the virus is there it keeps interfering the registry but i cant find what and who is responsible for this action.

     

    Elle isnt there any tool that we can monitor registry so that we can keep track of the line and who is responsible for this lines injection to registry ?

     

    mExplorerRun: [49674] C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe



    #10 Blind Faith

    Blind Faith

    • Malware Response Team
    • 4,101 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:05:27 AM

    Posted 16 April 2013 - 04:22 PM

    Hi there,
     
     
    1. Close any open browsers.
     
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
     
    3. Open notepad and copy/paste the text in the quotebox below into it:
     

    File::
    C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe
     
    Save this as CFScript.txt, in the same location as ComboFix.exe
     
     
    CFScriptB-4.gif 
     
    Refering to the picture above, drag CFScript into ComboFix.exe
     
    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
     
    Elle

    Can you hear it?It's all around!

    Tomar ki manè acchè?
    Yadi thakè, tahalè
    Ki kshama kartè paro
    ?



    If I haven't replied in 48 hours, please feel free to send me a PM.



    Posted Image

    #11 CanRaps

    CanRaps
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:05:27 AM

    Posted 17 April 2013 - 10:21 AM

    Hello Elle,

     

    I have done what you have told me but i must warn you that in my first msg i stated that i had already deleted that virus file in command prompt. ( C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe )

     

     

     

    ComboFix 13-04-17.01 - TTTTTTT 17.04.2013  18:12:01.3.2 - x64

    Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2047.1214 [GMT 3:00]
    Running from: c:\users\TTTTTTT\Desktop\antivirus\ComboFix.exe
    Command switches used :: c:\users\TTTTTTT\Desktop\antivirus\cfscript.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
     * Created a new restore point
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\prsgrc.dll
    c:\windows\SysWow64\w7ddzvk.dll
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-17 to 2013-04-17  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-17 15:16 . 2013-04-17 15:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-09 16:09 . 2013-04-09 16:09 -------- d-----w- c:\program files (x86)\Common Files\Java
    2013-04-09 16:08 . 2013-04-09 16:08 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2013-04-09 16:08 . 2013-04-09 16:08 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-04-09 16:08 . 2013-04-09 16:08 -------- d-----w- c:\program files (x86)\Java
    2013-04-08 06:19 . 2013-04-08 06:19 -------- d-----w- c:\programdata\Local Settings
    2013-04-08 06:19 . 2013-04-08 06:19 -------- d-----w- C:\Temp
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-09 16:08 . 2012-04-16 11:52 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2013-03-13 08:52 . 2012-04-17 06:33 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 08:52 . 2012-04-17 06:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-05-04 12:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "49674"="c:\progra~3\LOCALS~1\Temp\msacysuzy.exe" [BU]
    .
    c:\users\TTTTTTT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-04-17 1431888]
    R3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;c:\windows\system32\DRIVERS\SNTUSB64.SYS [2010-10-20 59048]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2010-07-27 75648]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]
    S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe  -run [x]
    S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-03-22 204296]
    S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-03-22 69640]
    S2 Sentinel64;Sentinel64;c:\windows\System32\Drivers\Sentinel64.sys [2009-09-17 145448]
    S3 RTL8167;Realtek 8167 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 08:52]
    .
    2013-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000Core.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    2013-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000UA.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com.tr/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-17  18:18:39
    ComboFix-quarantined-files.txt  2013-04-17 15:18
    .
    Pre-Run: 73,848,115,200 bayt boş
    Post-Run: 73,707,671,552 bayt boş
    .
    - - End Of File - - 6A530BDC5D93B10A051E608679CD97D2


    #12 Blind Faith

    Blind Faith

    • Malware Response Team
    • 4,101 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:05:27 AM

    Posted 17 April 2013 - 01:56 PM

    Yes, I am aware of that, just wanted to check on it but apparently there are some files that won't get deleted. 

    And the HJT entry is still present? 

     

     

     

     

    Elle 


    Can you hear it?It's all around!

    Tomar ki manè acchè?
    Yadi thakè, tahalè
    Ki kshama kartè paro
    ?



    If I haven't replied in 48 hours, please feel free to send me a PM.



    Posted Image

    #13 CanRaps

    CanRaps
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:05:27 AM

    Posted 18 April 2013 - 04:18 AM

    Hello again Elle,

     

    Yesterday i ran a full virus scan with Avast. It had only deleted C:\Temp\Uninstallerwise.exe   file.

     

    On the other hand the files combofix try to delete (c:\windows\SysWow64\prsgrc.dll

    c:\windows\SysWow64\w7ddzvk.dll) are all associated with sentinel driver which is used for usb keys that is to unlock the softwares. So they are not virus related.
     
    Now i re run HJT and wipe  mExplorerRun: [49674] C:\PROGRA~3\LOCALS~1\Temp\msacysuzy.exe   line but it re appears at the same second :(

    Edited by CanRaps, 18 April 2013 - 10:33 AM.


    #14 Blind Faith

    Blind Faith

    • Malware Response Team
    • 4,101 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:05:27 AM

    Posted 18 April 2013 - 04:16 PM

    Hi there,
     
     
    1. Close any open browsers.
     
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
     
    3. Open notepad and copy/paste the text in the quotebox below into it:
     

     

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

    "49674"=-

     

     
    Save this as CFScript.txt, in the same location as ComboFix.exe
     
     
    CFScriptB-4.gif
     
    Refering to the picture above, drag CFScript into ComboFix.exe
     
    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
     
    Elle

    Can you hear it?It's all around!

    Tomar ki manè acchè?
    Yadi thakè, tahalè
    Ki kshama kartè paro
    ?



    If I haven't replied in 48 hours, please feel free to send me a PM.



    Posted Image

    #15 CanRaps

    CanRaps
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:05:27 AM

    Posted 20 April 2013 - 05:26 AM

    ComboFix 13-04-20.01 - TTTTTTT 20.04.2013  13:09:40.4.2 - x64
    Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.2047.1315 [GMT 3:00]
    Running from: c:\users\TTTTTTT\Desktop\antivirus\ComboFix.exe
    Command switches used :: c:\users\TTTTTTT\Desktop\antivirus\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
     * Created a new restore point
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-20 to 2013-04-20  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-20 10:16 . 2013-04-20 10:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-17 16:32 . 2013-04-17 16:32 -------- d-----w- C:\usr
    2013-04-17 15:37 . 2013-03-06 22:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2013-04-17 15:37 . 2013-03-06 22:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2013-04-17 15:37 . 2013-03-06 22:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2013-04-17 15:37 . 2013-03-06 22:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2013-04-17 15:37 . 2013-03-06 22:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2013-04-17 15:37 . 2013-03-06 22:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-04-17 15:37 . 2013-03-06 22:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
    2013-04-17 15:37 . 2013-03-06 22:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2013-04-17 15:37 . 2013-03-06 22:32 287840 ----a-w- c:\windows\system32\aswBoot.exe
    2013-04-17 15:36 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
    2013-04-17 15:36 . 2013-04-17 15:36 -------- d-----w- c:\program files\AVAST Software
    2013-04-17 15:34 . 2013-04-17 15:36 -------- d-----w- c:\programdata\AVAST Software
    2013-04-17 15:22 . 2008-07-25 18:21 79872 ----a-w- c:\windows\system32\KMPJL64.DLL
    2013-04-17 15:22 . 2008-02-12 13:42 46877 ----a-w- c:\windows\system32\KM-PMKN.DLL
    2013-04-09 16:09 . 2013-04-09 16:09 -------- d-----w- c:\program files (x86)\Common Files\Java
    2013-04-09 16:08 . 2013-04-09 16:08 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2013-04-09 16:08 . 2013-04-09 16:08 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-04-09 16:08 . 2013-04-09 16:08 -------- d-----w- c:\program files (x86)\Java
    2013-04-08 06:19 . 2013-04-08 06:19 -------- d-----w- c:\programdata\Local Settings
    2013-04-08 06:19 . 2013-04-17 15:55 -------- d-----w- C:\Temp
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-09 16:08 . 2012-04-16 11:52 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2013-03-13 08:52 . 2012-04-17 06:33 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 08:52 . 2012-04-17 06:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-05-04 12:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "49674"="c:\progra~3\LOCALS~1\Temp\msacysuzy.exe" [BU]
    .
    c:\users\TTTTTTT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 aswVmm;aswVmm; [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-04-17 1431888]
    R3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;c:\windows\system32\DRIVERS\SNTUSB64.SYS [2010-10-20 59048]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    S0 aswRvrt;aswRvrt; [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2010-07-27 75648]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]
    S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe  -run [x]
    S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-03-22 204296]
    S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-03-22 69640]
    S2 Sentinel64;Sentinel64;c:\windows\System32\Drivers\Sentinel64.sys [2009-09-17 145448]
    S3 RTL8167;Realtek 8167 NT Sürücüsü;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 08:52]
    .
    2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000Core.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2994728034-2318738296-3324851195-1000UA.job
    - c:\users\TTTTTTT\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-16 11:40]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com.tr/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-20  13:23:30
    ComboFix-quarantined-files.txt  2013-04-20 10:23
    ComboFix2.txt  2013-04-17 15:18
    .
    Pre-Run: 74,655,080,448 bayt boş
    Post-Run: 74,509,193,216 bayt boş
    .
    - - End Of File - - 059D070FDC28D37A8AC10093D72A03BD





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users