Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win64 Conedex.B & Conedex.C trojans


  • This topic is locked This topic is locked
17 replies to this topic

#1 mrakuma

mrakuma

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 21 August 2013 - 08:12 AM

Hello.

My ESET Smart Security keep on detecting the trojans above and eventhough its have been cleaned by deleting - quarantined, its still popping up.

I'm not very good in handling software so please help me.

 

This is the DDS.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.25.2
Run by My Documents at 20:54:19 on 2013-08-21
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Connection Manager\Bin\mcserver.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Connection Manager\Bin\dbus-daemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Connection Manager\Bin\db_daemon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
C:\Program Files (x86)\Cobian Backup 11\Cobian.exe
C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
"C:\Windows\SysWOW64\svchost.exe" -k RPCSSNetwork
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.my/
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\My Documents\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Facebook Update] "C:\Users\My Documents\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [RemoteControl11] "C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all links by FlashGet3 - C:\Program Files (x86)\FlashGet Network\FlashGet 3\BHO\fdgetallurl.htm
IE: Download by FlashGet3 - C:\Program Files (x86)\FlashGet Network\FlashGet 3\BHO\fdgeturl.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{05D2A739-94EA-4B5C-9CF6-64E3CE4D9C44} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E1D033CE-63EF-4727-A84C-A7CC8934085C} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-Run: [TNOD UP] "C:\Program Files\ESET\TNod User & Password Finder\TNODUP.exe" /i
x64-Run: [Fences] "C:\Program Files (x86)\Stardock\Fences\Fences.exe" /startup
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-STS: FencesShlExt Class - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files (x86)\Stardock\Fences\FencesMenu64.dll
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R? ?etadpug;Google Update Service (gupdate)
R? dmvsc;dmvsc
R? massfilter;MBB Mass Storage Filter Driver
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? Synth3dVsc;Synth3dVsc
R? terminpt;Microsoft Remote Desktop Input Driver
R? TsUsbFlt;TsUsbFlt
R? TsUsbGD;Remote Desktop Generic USB Device
R? tsusbhub;tsusbhub
R? VGPU;VGPU
S? {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2013/01/08 09:00:34]
S? cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester
S? CLHNServiceForPowerDVD;CLHNServiceForPowerDVD
S? CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service
S? CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service
S? eamonm;eamonm
S? ekrn;ESET Service
S? EpfwLWF;Epfw NDIS LightWeight Filter
S? epfwwfp;epfwwfp
S? HECIx64;Intel® Management Engine Interface
S? HWiNFO32;HWiNFO32/64 Kernel Driver
S? iaStorA;iaStorA
S? IAStorDataMgrSvc;Intel® Rapid Storage Technology
S? iaStorF;iaStorF
S? k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0
S? ntk_PowerDVD;ntk_PowerDVD
S? Stereo Service;NVIDIA Stereoscopic 3D Driver Service
S? UNS;Intel® Management & Security Application User Notification Service
.
=============== Created Last 30 ================
.
2013-08-21 11:17:03 -------- d-----w- C:\Program Files (x86)\Cobian Backup 11
2013-08-21 10:28:39 -------- d-----w- C:\FRST
2013-08-20 10:45:12 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2013-08-20 10:35:41 225280 ----a-w- C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll
2013-08-20 10:35:18 -------- d-----w- C:\Program Files (x86)\x264 Video Codec
2013-08-20 10:28:54 -------- d-----w- C:\Program Files (x86)\GRETECH
2013-08-08 08:22:12 -------- d-----w- C:\Program Files (x86)\Will
2013-07-24 06:17:22 -------- d-----w- C:\Program Files (x86)\uTorrent
.
==================== Find3M  ====================
.
2013-08-21 08:30:49 151552 ----a-w- C:\Windows\KMSEmulator.exe
2013-08-20 17:36:21 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-20 17:36:21 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-06 06:40:27 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-06 06:40:22 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-07-06 06:40:21 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 20:56:59.11 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 23 August 2013 - 01:20 AM

Please run the following

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 23 August 2013 - 06:10 AM

Thanks for your reply.

Here's the log.

 

ComboFix 13-08-22.01 - My Documents 08/23/2013  18:29:59.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1972.911 [GMT 8:00]
Running from: c:\users\My Documents\Desktop\ComboFix.exe
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Google\Desktop\Install
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\@
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\GoogleUpdate.exe
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\L\6715e287
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000008.@
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000000.@
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000032.@
c:\program files (x86)\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\9519~1\A535~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000064.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\L\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000008.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\000000cb.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000000.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000032.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\???\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000064.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\L\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000008.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\000000cb.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000000.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000032.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\???\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000064.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\L\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000008.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\000000cb.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000000.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000032.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\???\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000064.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\GoogleUpdate.exe
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\L\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000004.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\00000008.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\000000cb.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000000.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000032.@
c:\users\My Documents\AppData\Local\Google\Desktop\Install\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\2E2F~1\28F0~1\E628~1\{7b74dbd3-3cd2-17e6-8a1a-7188aa7e7704}\U\80000064.@
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-23 to 2013-08-23  )))))))))))))))))))))))))))))))
.
.
2013-08-23 10:38 . 2013-08-23 10:38 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-08-23 10:38 . 2013-08-23 10:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-21 11:17 . 2013-08-21 11:17 -------- d-----w- c:\program files (x86)\Cobian Backup 11
2013-08-21 10:28 . 2013-08-21 10:28 -------- d-----w- C:\FRST
2013-08-20 10:45 . 2013-08-20 10:45 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2013-08-20 10:35 . 2013-08-20 10:35 225280 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
2013-08-20 10:35 . 2013-08-20 11:08 -------- d-----w- c:\program files (x86)\x264 Video Codec
2013-08-20 10:29 . 2013-08-20 10:29 -------- d-----w- c:\users\My Documents\AppData\Roaming\GRETECH
2013-08-20 10:28 . 2013-08-20 10:28 -------- d-----w- c:\program files (x86)\GRETECH
2013-08-08 08:22 . 2013-08-08 08:22 -------- d-----w- c:\program files (x86)\Will
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-23 10:40 . 2013-01-08 00:07 151552 ----a-w- c:\windows\KMSEmulator.exe
2013-08-20 17:36 . 2013-01-07 23:54 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-20 17:36 . 2013-01-07 23:54 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-06 06:40 . 2013-07-06 06:40 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-06 06:40 . 2013-01-07 23:49 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-07-06 06:40 . 2013-01-07 23:49 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\My Documents\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-01-08 138096]
"EA Core"="c:\program files (x86)\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2013-07-24 399224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-11-30 56128]
"RemoteControl11"="c:\program files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-04-20 234792]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
c:\users\My Documents\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Fences.lnk - c:\program files (x86)\Stardock\Fences\Fences.exe /startup [2012-10-30 4017368]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MCtlSvc.lnk - c:\program files (x86)\Connection Manager\Bin\mcserver.exe [2013-1-8 60688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys;c:\windows\SYSNATIVE\DRIVERS\massfilter.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfp.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys;c:\windows\SYSNATIVE\DRIVERS\EpfwLWF.sys [x]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\SysWOW64\drivers\Mydrivers64A.SYS;c:\windows\SysWOW64\drivers\Mydrivers64A.SYS [x]
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2013/01/08 09:00];c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl;c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [x]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files (x86)\Cobian Backup 11\cbVSCService11.exe;c:\program files (x86)\Cobian Backup 11\cbVSCService11.exe [x]
S2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [x]
S2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [x]
S2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 ntk_PowerDVD;ntk_PowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-23 09:52 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-07 17:36]
.
2013-08-23 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2013-01-08 00:07]
.
2013-08-23 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS\AutoKMS.exe [2013-01-08 00:07]
.
2013-08-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-776911197-2618303698-1742622341-1000Core.job
- c:\users\My Documents\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-08 07:19]
.
2013-08-23 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-776911197-2618303698-1742622341-1000UA.job
- c:\users\My Documents\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-01-08 07:19]
.
2013-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-08 01:42]
.
2013-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-08 01:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe" [2013-01-08 7144960]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-21 12632168]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-11-16 4090824]
"TNOD UP"="c:\program files\ESET\TNod User & Password Finder\TNODUP.exe" [2012-07-05 1028800]
"Fences"="c:\program files (x86)\Stardock\Fences\Fences.exe" [2012-10-29 4017368]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock\Fences\FencesMenu64.dll" [2012-10-29 551640]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.my/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download all links by FlashGet3 - c:\program files (x86)\FlashGet Network\FlashGet 3\BHO\fdgetallurl.htm
IE: Download by FlashGet3 - c:\program files (x86)\FlashGet Network\FlashGet 3\BHO\fdgeturl.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{1EC23CFF-4C58-458f-924C-8519AEF61B32} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-776911197-2618303698-1742622341-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v20po\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.v20po"
.
[HKEY_USERS\S-1-5-21-776911197-2618303698-1742622341-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v20pp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.v20pp"
.
[HKEY_USERS\S-1-5-21-776911197-2618303698-1742622341-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v20ppf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.v20ppf"
.
[HKEY_USERS\S-1-5-21-776911197-2618303698-1742622341-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.xmp"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
c:\program files (x86)\Connection Manager\Bin\dbus-daemon.exe
c:\program files (x86)\Connection Manager\Bin\db_daemon.exe
c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
.
**************************************************************************
.
Completion time: 2013-08-23  18:57:08 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-23 10:57
.
Pre-Run: 215,982,149,632 bytes free
Post-Run: 216,997,273,600 bytes free
.
- - End Of File - - F4FA6A9A422676938BE1C08DF4918AB5
A36C5E4F47E84449FF07ED3517B43A31


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 23 August 2013 - 02:41 PM

Please do the following:

Please run the following:

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.
Direct link to the file: http://downloads.malwarebytes.org/file/mbar
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Doubleclick on the MBAR file you downloaded.
  • Approve the UAC prompt in Vista and newer operating systems.
  • Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
  • By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
  • mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
  • After reading the Introduction, click 'Next' if you agree.
  • On the Update Database screen, click on the 'Update' button.
  • Once you see 'Success: Database was successfully updated' click on 'Next'.
  • Click the 'Scan' button.
    • With some infections, you may see two messages boxes.
    • 1.'Could not load protection driver'. Click 'OK'.
    • 2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found, press the Cleanup button when the scan completes. Click EXIT.
    Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

    mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
    system-log.txt
fixdamage - repair damaged services

If no detections occurred during the MBAR scan, and/or if the issue with Website Blocking remains, please do this next:
Open the Malwarebytes Anti-Rootkit folder.
Locate fixdamage.exe within the \mbar\Plugins folder and double click on it. In Windows Vista and Windows 7, approve the UAC prompt
fixdamage.exe will open a command window.
You will be asked if you want to continue. Type y if you do.
A reboot request may be made after the fix. Type y in the command prompt, and allow the computer to be rebooted.
Even if a reboot request was not made after running FixDamage.exe please restart the computer.

Once back in Windows, please send the following logs as attachments to your reply. These logs are located in the Malwarebytes Anti-Rootkit folder.

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
system-log.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 24 August 2013 - 03:58 AM

Uhh. After my computer re-boot, according to MBAR usage instruction, I need to scan it again. But it doesn't automatically open and when I open it, it says the MBAR version is outdated and I need to download a newer version. Should I?

 

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 24 August 2013 - 07:54 AM

yes,

 

the tool is updated frequently,

 

so download a fresh copy and run another scan, post the resulting log


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 24 August 2013 - 01:19 PM

Done. Here's the log.

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 24 August 2013 - 02:46 PM

good,
 
we just need to sweep for leftovers

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT



Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 25 August 2013 - 05:42 AM

I ran the ESET online scanner but it says 'Unexpected error 2002' during initialization on the first 2 tries. It works on the third try though. I figure I should tell you if it means something.

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 25 August 2013 - 07:20 AM

Most of the ESET detections are already in quarantine which will be removed once we uninstall ComboFix at the end.

The other detections can be deleted (they are installer files bundled with adware:)

C:\Users\My Documents\Desktop\avira_free_antivirus_en.exe
C:\Users\My Documents\Downloads\GOMPLAYERENSETUP.EXE

These files are an indication that Office may not be genuine, can you advise?

C:\Windows\KMSEmulator.exe
C:\Windows\AutoKMS\AutoKMS.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 25 August 2013 - 12:48 PM

Office is not genuine? What does it means? Do I have to uninstall it?



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 25 August 2013 - 03:12 PM

I was asking you, as that file is often used when office is not genuine, or do you have another use for this?

C:\Windows\KMSEmulator.exe
C:\Windows\AutoKMS\AutoKMS.exe

http://tamsuper.blogspot.ro/2011/05/microsoft-office-2010-finally-cracked.html

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 26 August 2013 - 03:54 AM

No. I don't think there is any use for that. Oh, I'm using a second hand laptop so I don't really know what it's for in the first place. 

What do I do next?


Edited by mrakuma, 26 August 2013 - 04:03 AM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:58 PM

Posted 26 August 2013 - 06:59 AM

I suggest either obtaining a proper license for it and re-installing a licensed version or removing it and use open office, as having pirated software on the computer can be an invitation for infections to come on board as you don't know if the machine is compromised becasue of this software.


How is the computer running now and are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 mrakuma

mrakuma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 26 August 2013 - 10:27 AM

Okay. I'll keep that in mind.

 

As for the computer, it seems to function normally and there's no issues as far as I could tell.

The trojans detected by ESET also stop appearing. Thanks to you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users