Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with FBI Ransom Virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 hillbillyzombie

hillbillyzombie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 02 September 2014 - 11:33 AM

Mod Edit:  Merged posts - Hamluis.
 
My computer running Windows 7 boots to the FBI Ransom Virus and has locked me out of all functions.
I was able to get the machine to boot into Safe Mode but I am now unable to do anything else but stare
at that foolish warning screen. I appreciate any help you can provide.  I have already ran FRST64 and have a few of the logs but not sure where to go from there.  The first log will be the system scan and the second one will be of the user32.dll search.
Let me know what information I can provide and thank you in advance.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-08-2014 02
Ran by SYSTEM on MININT-G6TIUCP on 02-09-2014 08:53:41
Running from f:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7203032 2013-10-22] (Realtek Semiconductor)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-20] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [*Restore] => C:\windows\system32\rstrui.exe [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.01\atkexComSvc.exe [927232 2012-10-29] ()
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [149032 2012-08-16] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [334608 2013-04-09] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-03-18] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-04-03] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-04-03] (McAfee, Inc.)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-21] ()
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70592 2014-04-03] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [20968 2012-08-16] ()
S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [19944 2012-08-16] ()
S3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [46016 2012-08-16] ()
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [177544 2014-04-03] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311856 2014-04-03] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [522360 2014-04-03] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [784760 2014-04-03] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [441264 2014-03-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-03-18] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [346760 2014-04-03] (McAfee, Inc.)
S3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-07-16] ()
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-02 08:53 - 2014-09-02 08:53 - 00000000 ____D () C:\FRST
2014-09-02 06:31 - 2014-09-02 08:42 - 00000000 ____D () C:\users\kyle
2014-09-02 06:31 - 2014-09-02 06:31 - 00000000 ____D () C:\Users\kyle\AppData\Local\NPE
2014-09-02 06:26 - 2014-09-02 06:29 - 00000000 ____D () C:\Users\Hillbillyzombie\AppData\Local\NPE
2014-09-02 06:25 - 2014-09-02 08:34 - 00000000 ____D () C:\ProgramData\Norton
2014-09-02 06:25 - 2014-09-02 06:25 - 00000000 ____D () C:\Users\norton\AppData\Local\NPE
2014-09-01 20:07 - 2014-09-01 20:42 - 00000000 ____D () C:\NBRT
2014-09-01 17:58 - 2014-09-01 17:58 - 00000000 ____D () C:\Users\norton\AppData\Local\Google
2014-09-01 17:57 - 2014-09-02 08:34 - 00000000 ____D () C:\users\norton
2014-09-01 14:51 - 2014-09-01 15:31 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-09-01 14:41 - 2014-09-01 14:41 - 00221096 _____ () C:\Users\Hillbillyzombie\Desktop\NFL draft pos.xlsx
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-02 08:53 - 2014-09-02 08:53 - 00000000 ____D () C:\FRST
2014-09-02 08:42 - 2014-09-02 06:31 - 00000000 ____D () C:\users\kyle
2014-09-02 08:42 - 2014-05-11 02:01 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-09-02 08:42 - 2014-03-24 22:32 - 00000000 ____D () C:\Program Files (x86)\Diablo III
2014-09-02 08:42 - 2014-03-16 01:38 - 00000000 ____D () C:\Users\Hillbillyzombie\AppData\Roaming\Battle.net
2014-09-02 08:42 - 2014-03-16 01:38 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2014-09-02 08:42 - 2014-03-16 01:37 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-09-02 08:42 - 2014-02-19 22:18 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-09-02 08:42 - 2014-01-25 16:13 - 00000000 ____D () C:\Users\Hillbillyzombie\Desktop\World of Warcraft
2014-09-02 08:42 - 2014-01-25 16:05 - 00000000 ____D () C:\users\Hillbillyzombie
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-09-02 08:42 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-09-02 08:40 - 2014-01-25 16:53 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-09-02 08:40 - 2014-01-25 16:29 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-09-02 08:40 - 2014-01-25 16:13 - 00000000 ____D () C:\ProgramData\Battle.net
2014-09-02 08:34 - 2014-09-02 06:25 - 00000000 ____D () C:\ProgramData\Norton
2014-09-02 08:34 - 2014-09-01 17:57 - 00000000 ____D () C:\users\norton
2014-09-02 06:31 - 2014-09-02 06:31 - 00000000 ____D () C:\Users\kyle\AppData\Local\NPE
2014-09-02 06:29 - 2014-09-02 06:26 - 00000000 ____D () C:\Users\Hillbillyzombie\AppData\Local\NPE
2014-09-02 06:25 - 2014-09-02 06:25 - 00000000 ____D () C:\Users\norton\AppData\Local\NPE
2014-09-02 06:16 - 2014-02-16 12:56 - 00000000 ____D () C:\Users\Hillbillyzombie\AppData\Local\CrashDumps
2014-09-01 20:42 - 2014-09-01 20:07 - 00000000 ____D () C:\NBRT
2014-09-01 17:58 - 2014-09-01 17:58 - 00000000 ____D () C:\Users\norton\AppData\Local\Google
2014-09-01 15:31 - 2014-09-01 14:51 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-09-01 15:01 - 2014-03-16 01:38 - 00000000 ____D () C:\Users\Hillbillyzombie\AppData\Local\Battle.net
2014-09-01 14:41 - 2014-09-01 14:41 - 00221096 _____ () C:\Users\Hillbillyzombie\Desktop\NFL draft pos.xlsx
2014-08-29 07:58 - 2014-01-25 20:49 - 00000000 ____D () C:\Users\Hillbillyzombie\Desktop\zaddons
2014-08-19 02:04 - 2013-08-26 08:26 - 00000000 ____D () C:\Windows\System32\MRT
Some content of TEMP:
====================
C:\Users\Hillbillyzombie\AppData\Local\Temp\install_reader11_en_mssa_aaa_aih.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points  =========================
Restore point made on: 2014-03-19 12:42:25
Restore point made on: 2014-03-20 02:00:24
Restore point made on: 2014-03-28 04:55:19
Restore point made on: 2014-04-06 23:20:39
Restore point made on: 2014-04-12 02:00:15
Restore point made on: 2014-04-19 12:47:15
Restore point made on: 2014-04-27 12:56:53
Restore point made on: 2014-05-04 02:00:30
Restore point made on: 2014-05-11 02:00:56
Restore point made on: 2014-05-12 02:00:19
Restore point made on: 2014-05-15 02:00:21
Restore point made on: 2014-05-22 06:38:52
Restore point made on: 2014-05-30 03:28:34
Restore point made on: 2014-06-06 21:13:27
Restore point made on: 2014-06-12 02:00:18
Restore point made on: 2014-06-19 20:08:52
Restore point made on: 2014-06-28 12:10:06
Restore point made on: 2014-07-07 20:16:21
Restore point made on: 2014-07-13 02:00:29
Restore point made on: 2014-07-16 02:00:31
Restore point made on: 2014-08-01 08:43:05
Restore point made on: 2014-08-18 18:30:50
Restore point made on: 2014-08-19 02:00:25
Restore point made on: 2014-08-29 06:36:55
Restore point made on: 2014-08-30 02:00:16
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 7869.88 MB
Available physical RAM: 7017.88 MB
Total Pagefile: 7868.08 MB
Available Pagefile: 7010.12 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
==================== Drives ================================
Drive c: (OSDisk) (Fixed) (Total:931.02 GB) (Free:805.82 GB) NTFS
Drive e: (Nov 02 2013) (CDROM) (Total:0.22 GB) (Free:0 GB) CDFS
Drive f: (NBRT) (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System) (Fixed) (Total:0.49 GB) (Free:0.44 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: C4289393)
Partition 1: (Active) - (Size=499 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1.9 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
LastRegBack: 2014-08-29 09:04
==================== End Of Log ============================

 
 
 
 
 
 
 
 
 
Farbar Recovery Scan Tool (x64) Version: 31-08-2014 02
Ran by SYSTEM at 2014-09-02 09:05:54
Running from f:\
Boot Mode: Recovery
================== Search Files: "user32.dll" =============
C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
[2010-11-20 19:24][2010-11-20 19:24] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3
C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[2010-11-20 19:24][2010-11-20 19:24] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B
C:\Windows\SysWOW64\user32.dll
[2010-11-20 19:24][2010-11-20 19:24] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3
C:\Windows\System32\user32.dll
[2010-11-20 19:24][2010-11-20 19:24] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B
X:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[2010-11-20 01:50][2010-11-20 05:27] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B
X:\Windows\System32\user32.dll
[2010-11-20 01:50][2010-11-20 05:27] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B
====== End Of Search ======

Edited by hamluis, 02 September 2014 - 12:07 PM.


BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:05:06 AM

Posted 02 September 2014 - 05:36 PM

Hello hillbillyzombie,

My name is Cody and I'll be helping you clean up your computer. :)

I will reply to your posts as soon as possible -- typically within 24 hours. In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.

Please do note any time differences between us. If I do not respond within 48 hours, feel free to send me a private message.

==========================================================================

Some points for you to keep in mind:
  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.
==========================================================================

Please give me some time to review your log(s) and I will get back to you shortly. :)

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 hillbillyzombie

hillbillyzombie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 02 September 2014 - 05:46 PM

ok thank you



#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:05:06 AM

Posted 03 September 2014 - 02:23 PM

Hello hillbillyzombie,

Based on your initial post I'm unsure if you are still able to access and use Safe Mode. If you are able to, please do the following.

 

If you need to transfer ComboFix.exe from a working computer to the sick computer due to lack of Internet access, please do so.

 

==========

ComboFix Download and Scan

  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:
  • download.png
  • Disable any anti-virus and/or firewall software you have installed.
  • instructions can be found here if needed
  • Close all open windows including your web browser
  • as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

cf-preparing.jpg

  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.
  • However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

recovery-console-prompt.jpg

If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode

  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

cf-log.jpg

More information about downloading and using ComboFix can be found here if needed.


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 hillbillyzombie

hillbillyzombie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 03 September 2014 - 03:49 PM

ComboFix 14-08-31.01 - Hillbillyzombie 09/03/2014  13:39:03.1.4 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7870.6874 [GMT -7:00]
Running from: E:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-03 to 2014-09-03  )))))))))))))))))))))))))))))))
.
.
2014-09-03 20:41 . 2014-09-03 20:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-02 16:53 . 2014-09-02 16:54 -------- d-----w- C:\FRST
2014-09-02 14:31 . 2014-09-02 16:42 -------- d-----w- c:\users\kyle
2014-09-02 14:26 . 2014-09-02 14:29 -------- d-----w- c:\users\Hillbillyzombie\AppData\Local\NPE
2014-09-02 14:25 . 2014-09-02 16:34 -------- d-----w- c:\programdata\Norton
2014-09-02 04:07 . 2014-09-02 04:42 -------- d-----w- C:\NBRT
2014-09-02 01:57 . 2014-09-02 16:34 -------- d-----w- c:\users\norton
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-16 10:16 . 2014-07-16 10:16 94656 ----a-w- c:\windows\system32\WPRO_41_2001woem.tmp
2014-07-16 10:16 . 2014-01-06 18:33 34752 ----a-w- c:\windows\system32\drivers\WPRO_41_2001.sys
2014-07-13 10:01 . 2013-08-26 16:26 96441528 ----a-w- c:\windows\system32\MRT.exe
2014-06-30 02:09 . 2014-07-12 22:36 519168 ----a-w- c:\windows\system32\aepdu.dll
2014-06-30 02:04 . 2014-07-12 22:36 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-06-20 20:14 . 2014-07-12 22:36 266424 ----a-w- c:\windows\system32\iedkcs32.dll
2014-06-19 01:39 . 2014-07-12 22:36 23464448 ----a-w- c:\windows\system32\mshtml.dll
2014-06-19 01:06 . 2014-07-12 22:36 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-06-19 01:06 . 2014-07-12 22:36 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-06-19 00:48 . 2014-07-12 22:36 2768384 ----a-w- c:\windows\system32\iertutil.dll
2014-06-19 00:42 . 2014-07-12 22:36 548352 ----a-w- c:\windows\system32\vbscript.dll
2014-06-19 00:42 . 2014-07-12 22:36 66048 ----a-w- c:\windows\system32\iesetup.dll
2014-06-19 00:41 . 2014-07-12 22:36 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-06-19 00:41 . 2014-07-12 22:36 83968 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-06-19 00:32 . 2014-07-12 22:36 51200 ----a-w- c:\windows\system32\jsproxy.dll
2014-06-19 00:31 . 2014-07-12 22:36 33792 ----a-w- c:\windows\system32\iernonce.dll
2014-06-19 00:26 . 2014-07-12 22:36 598016 ----a-w- c:\windows\system32\ieui.dll
2014-06-19 00:24 . 2014-07-12 22:36 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-06-19 00:24 . 2014-07-12 22:36 111616 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-06-19 00:23 . 2014-07-12 22:36 752640 ----a-w- c:\windows\system32\jscript9diag.dll
2014-06-19 00:14 . 2014-07-12 22:36 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-06-19 00:09 . 2014-07-12 22:36 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2014-06-18 23:59 . 2014-07-12 22:36 38400 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-18 23:56 . 2014-07-12 22:36 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-06-18 23:53 . 2014-07-12 22:36 195584 ----a-w- c:\windows\system32\msrating.dll
2014-06-18 23:51 . 2014-07-12 22:36 5721088 ----a-w- c:\windows\system32\jscript9.dll
2014-06-18 23:50 . 2014-07-12 22:36 85504 ----a-w- c:\windows\system32\mshtmled.dll
2014-06-18 23:48 . 2014-07-12 22:36 292864 ----a-w- c:\windows\system32\dxtrans.dll
2014-06-18 23:39 . 2014-07-12 22:36 608768 ----a-w- c:\windows\system32\ie4uinit.exe
2014-06-18 23:38 . 2014-07-12 22:36 455168 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-06-18 23:37 . 2014-07-12 22:36 61952 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-06-18 23:36 . 2014-07-12 22:36 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-06-18 23:35 . 2014-07-12 22:36 62464 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-06-18 23:33 . 2014-07-12 22:36 631808 ----a-w- c:\windows\system32\msfeeds.dll
2014-06-18 23:27 . 2014-07-12 22:36 1249280 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-06-18 23:27 . 2014-07-12 22:36 2040832 ----a-w- c:\windows\system32\inetcpl.cpl
2014-06-18 23:23 . 2014-07-12 22:36 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-06-18 23:22 . 2014-07-12 22:36 592896 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-06-18 23:06 . 2014-07-12 22:36 32256 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-06-18 22:58 . 2014-07-12 22:36 2266112 ----a-w- c:\windows\system32\wininet.dll
2014-06-18 22:52 . 2014-07-12 22:36 4254720 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-06-18 22:51 . 2014-07-12 22:36 13527040 ----a-w- c:\windows\system32\ieframe.dll
2014-06-18 22:46 . 2014-07-12 22:36 1068032 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-06-18 22:45 . 2014-07-12 22:36 1964544 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-06-18 22:34 . 2014-07-12 22:36 1393664 ----a-w- c:\windows\system32\urlmon.dll
2014-06-18 22:15 . 2014-07-12 22:36 846336 ----a-w- c:\windows\system32\ieapfltr.dll
2014-06-18 22:13 . 2014-07-12 22:36 1791488 ----a-w- c:\windows\SysWow64\wininet.dll
2014-06-18 02:18 . 2014-07-12 22:36 692736 ----a-w- c:\windows\system32\osk.exe
2014-06-18 01:51 . 2014-07-12 22:36 646144 ----a-w- c:\windows\SysWow64\osk.exe
2014-06-18 01:10 . 2014-07-12 22:36 3157504 ----a-w- c:\windows\system32\win32k.sys
2014-06-06 10:10 . 2014-07-12 22:36 624128 ----a-w- c:\windows\system32\qedit.dll
2014-06-06 09:44 . 2014-07-12 22:36 509440 ----a-w- c:\windows\SysWow64\qedit.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2013-04-26 292848]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-26 537992]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
iSCTsysTray.lnk - c:\program files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray.exe [2012-8-16 316416]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.150\SSScheduler.exe [2014-4-9 332016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.01.01\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.01.01\atkexComSvc.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
R2 ISCTAgent;ISCT Always Updated Agent;c:\program files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe;c:\program files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [x]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
R2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
R2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\COMMON~1\mcafee\actwiz\mcawfwk.exe;c:\progra~1\COMMON~1\mcafee\actwiz\mcawfwk.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.150\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.150\McCHSvc.exe [x]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);c:\windows\system32\drivers\WPRO_41_2001.sys;c:\windows\SYSNATIVE\drivers\WPRO_41_2001.sys [x]
R4 McOobeSv2;McAfee OOBE Service2;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys;c:\windows\SYSNATIVE\drivers\iusb3hcs.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S3 ikbevent;Intel Upper keyboard Class Filter Driver;c:\windows\system32\DRIVERS\ikbevent.sys;c:\windows\SYSNATIVE\DRIVERS\ikbevent.sys [x]
S3 imsevent;Intel Upper Mouse Class Filter Driver;c:\windows\system32\DRIVERS\imsevent.sys;c:\windows\SYSNATIVE\DRIVERS\imsevent.sys [x]
S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\drivers\ISCTD64.sys;c:\windows\SYSNATIVE\drivers\ISCTD64.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys;c:\windows\SYSNATIVE\drivers\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys;c:\windows\SYSNATIVE\drivers\iusb3xhc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-11 08:32 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-27 17:23]
.
2014-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-27 17:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-03-22 165872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-03-22 407536]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-03-22 441840]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2013-10-23 7203032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_38_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_38.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-03  13:42:14
ComboFix-quarantined-files.txt  2014-09-03 20:42
.
Pre-Run: 865,075,781,632 bytes free
Post-Run: 864,716,963,840 bytes free
.
- - End Of File - - 685C053584BBF5C1A7AE1DCFCECE752C
A36C5E4F47E84449FF07ED3517B43A31
 



#6 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:05:06 AM

Posted 04 September 2014 - 12:46 AM

Hello hillbillyzombie,

 

According to the log you posted, ComboFix did not seem to do very much.

 

Do you notice any difference/improvement after running ComboFix?

 

==========

 

Also, please do the following.

 

================================================

 

TDSS Killer Scan

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

  • Download TDSSKiller.exe and save it to your desktop.
  • Execute TDSSKiller.exe by double-clicking on it.
  • Press Start Scan.
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  • Please post the contents of that log in your next reply.

================================================

 

What I'd like to see in your next reply:   :thumbsup2: 

  • Any improvement after running ComboFix?
  • TDSS Scan Log

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:05:06 AM

Posted 07 September 2014 - 12:24 PM

Hello hillbillyzombie,

 

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:06 AM

Posted 12 September 2014 - 12:37 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users