Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powelik and Adclicker activity detected ....


  • This topic is locked This topic is locked
20 replies to this topic

#1 Mike00Beth

Mike00Beth

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 18 November 2014 - 12:05 AM

Hi.

  I have been fighting with Poweliks and losing poorly.  Roughly one week ago (Nov 7th), I saw a flash warning on the corner of my screen that I was infected with something and the website was blocked for 600 seconds.  Blah, blah, blah.  Same story as everyone else.  My processor was working harder than usual and I had about 6 extra dllhost*32 processes.  I did manual scans of my Norton Anti-virus (build 12.1.1.5) ... nothing found.  Norton Power Eraser ... nothing found.  I downloaded Norton Powelik removal tool ... nothing found.  The extra processes have morphed from dllhost.exe to dllhst3g.exe and finally to svchost.

  I found this wonderful website during my search for answers and I humbly beg for your assistance (and hopefully learn about this along the way)

 

I am running windows 7 and have Norton Anti-virus (Build 12.1.1.5).  I have attached my DDS and FRST logs.  Thank you in advance for your help.

 

 

Sincerely,

Mike

Attached Files



BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 18 November 2014 - 07:43 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 19 November 2014 - 01:18 AM

Marius,

 

  First, thank you for helping me with this.  This is WAY out of my league.  FRST failed after about 10 minutes of "fixing".  I attached the error screenshot.  MAB did a scan and nothing was found.

 

 

 

Here is the information you requested:

 

 

FRST fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-11-2014
Ran by Mike at 2014-11-19 00:04:38 Run:1
Running from C:\Users\Mike\Desktop\Bleeping Computer
Loaded Profile: Mike (Available profiles: Mike & ..Admin)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CustomCLSID: HKU\S-1-5-21-1131871246-674600968-2420621672-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
SearchScopes: HKU\S-1-5-21-1131871246-674600968-2420621672-1003 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-1131871246-674600968-2420621672-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
HKU\S-1-5-21-1131871246-674600968-2420621672-1000\...\Run: [.tluafed** <*>] => C:\Users\Mike\Application Data\{000028E6-30FF-40BC-9B2F-8D11DEDA6C12}.ex <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1131871246-674600968-2420621672-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!

AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:699BDADB
AlternateDataStreams: C:\ProgramData\Temp:D1787194

C:\Users\Mike\.hemsFavorites.dat

EmptyTemp:
*****************

"HKU\S-1-5-21-1131871246-674600968-2420621672-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Error deleting key. The key could be protected.
"HKU\S-1-5-21-1131871246-674600968-2420621672-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
"HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
"HKU\S-1-5-21-1131871246-674600968-2420621672-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
"HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key not found.
HKU\S-1-5-21-1131871246-674600968-2420621672-1000\Software\Microsoft\Windows\CurrentVersion\Run\\.tluafed** <*> => Value Deleted Successfully.
"HKU\S-1-5-21-1131871246-674600968-2420621672-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Error deleting key. The key could be protected.
"HKU\S-1-5-21-1131871246-674600968-2420621672-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Error deleting key. The key could be protected.
C:\ProgramData\Temp => ":2CB9631F" ADS removed successfully.
C:\ProgramData\Temp => ":699BDADB" ADS removed successfully.
C:\ProgramData\Temp => ":D1787194" ADS removed successfully.
C:\Users\Mike\.hemsFavorites.dat => Moved successfully.

MAB scan log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/19/2014
Scan Time: 12:25:20 AM
Logfile: 
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.19.01
Rootkit Database: v2014.11.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ..Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 367390
Time Elapsed: 20 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 21 November 2014 - 06:01 PM

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 23 November 2014 - 01:05 AM

Marius,

I could not get ESET link to work. I found it directly using a google search but I think my IE settings are not right ... I could not get the scan to launch. The popup screen was blank. I did run IE as an administrator.

Any ideas?

#6 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 23 November 2014 - 01:25 AM

Disregard. I tried it with MFF and it is scanning now. Results to follow....

#7 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 23 November 2014 - 10:17 PM

ESET log result:

C:\$RECYCLE.BIN\S-1-5-21-1131871246-674600968-2420621672-1000\$RW226AZ.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application


Still having lots of warnings by MBAM as is blocking websites. IE and MFF processes grow to huge memeroy suckers once either is started.

Still anxious to remove this infection and am awaiting further guidance. Thanks in advance.

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 04 December 2014 - 07:42 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 05 December 2014 - 08:25 PM

I ran Combofix.  Attached are the results.  Norton is still blocking svchost and tcpip.  I don't see any additional processes, though.  I hope you're gotten me close to the finish line.....

ComboFix 14-12-04.01 - ..Admin 12/05/2014  19:34:05.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8087.5617 [GMT -5:00]
Running from: c:\users\..Admin\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-06 to 2014-12-06  )))))))))))))))))))))))))))))))
.
.
2014-12-06 00:42 . 2014-12-06 00:42	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-12-02 23:34 . 2014-12-02 23:34	--------	d-----w-	c:\users\Mike\AppData\Local\Microsoft Games
2014-11-23 06:19 . 2014-11-23 06:19	--------	d-----w-	c:\program files (x86)\ESET
2014-11-19 05:24 . 2014-12-06 00:27	129752	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-19 05:24 . 2014-12-06 00:27	--------	d-----w-	c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-19 05:24 . 2014-11-21 11:14	63704	----a-w-	c:\windows\system32\drivers\mwac.sys
2014-11-19 05:24 . 2014-11-21 11:14	93400	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2014-11-19 05:24 . 2014-11-21 11:14	25816	----a-w-	c:\windows\system32\drivers\mbam.sys
2014-11-19 05:24 . 2014-11-19 05:24	--------	d-----w-	c:\programdata\Malwarebytes
2014-11-18 03:41 . 2014-11-19 05:05	--------	d-----w-	C:\FRST
2014-11-10 12:26 . 2014-12-04 13:17	--------	d-----w-	c:\users\..Admin
2014-11-09 23:30 . 2014-11-09 23:31	--------	d-----w-	C:\NPE
2014-11-09 23:29 . 2014-11-09 23:37	--------	d-----w-	c:\users\Mike\AppData\Local\NPE
2014-11-09 23:23 . 2014-11-09 23:23	--------	d-----w-	c:\users\Mike\AppData\Local\Macromedia
2014-11-09 23:22 . 2014-11-09 23:23	--------	d-----w-	c:\users\Mike\AppData\Local\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-18 12:21 . 2014-04-16 03:37	98216	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-10 02:05 . 2014-10-31 19:02	276480	----a-w-	c:\windows\system32\generaltel.dll
2014-10-10 02:05 . 2014-10-31 19:02	507392	----a-w-	c:\windows\system32\aepdu.dll
2014-10-10 02:00 . 2014-10-31 19:02	424448	----a-w-	c:\windows\system32\aeinv.dll
2014-10-03 14:02 . 2013-07-31 05:22	103265616	----a-w-	c:\windows\system32\MRT.exe
2014-09-29 00:58 . 2014-10-31 19:02	3198976	----a-w-	c:\windows\system32\win32k.sys
2014-09-25 02:08 . 2014-10-31 18:59	371712	----a-w-	c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-31 18:59	519680	----a-w-	c:\windows\SysWow64\qdvd.dll
2014-09-20 05:18 . 2014-10-31 18:58	51712	----a-w-	c:\windows\system32\ie4uinit.exe
2014-09-20 05:17 . 2014-10-31 18:58	2236928	----a-w-	c:\windows\system32\wininet.dll
2014-09-20 05:17 . 2014-10-31 18:58	1407488	----a-w-	c:\windows\system32\urlmon.dll
2014-09-20 05:16 . 2014-10-31 18:58	197120	----a-w-	c:\windows\system32\msrating.dll
2014-09-20 05:16 . 2014-10-31 18:58	97280	----a-w-	c:\windows\system32\mshtmled.dll
2014-09-20 05:16 . 2014-10-31 18:58	19280896	----a-w-	c:\windows\system32\mshtml.dll
2014-09-20 05:16 . 2014-10-31 18:58	603136	----a-w-	c:\windows\system32\msfeeds.dll
2014-09-20 05:16 . 2014-10-31 18:59	53760	----a-w-	c:\windows\system32\jsproxy.dll
2014-09-20 05:16 . 2014-10-31 18:59	3959296	----a-w-	c:\windows\system32\jscript9.dll
2014-09-20 05:16 . 2014-10-31 18:58	855552	----a-w-	c:\windows\system32\jscript.dll
2014-09-20 05:16 . 2014-10-31 18:58	526336	----a-w-	c:\windows\system32\ieui.dll
2014-09-20 05:16 . 2014-10-31 18:58	2655232	----a-w-	c:\windows\system32\iertutil.dll
2014-09-20 05:16 . 2014-10-31 18:58	39936	----a-w-	c:\windows\system32\iernonce.dll
2014-09-20 05:16 . 2014-10-31 18:58	67072	----a-w-	c:\windows\system32\iesetup.dll
2014-09-20 05:16 . 2014-10-31 18:58	136704	----a-w-	c:\windows\system32\iesysprep.dll
2014-09-20 05:16 . 2014-10-31 18:58	15399424	----a-w-	c:\windows\system32\ieframe.dll
2014-09-20 05:16 . 2014-10-31 18:58	255488	----a-w-	c:\windows\system32\iedkcs32.dll
2014-09-20 05:15 . 2014-10-31 18:59	451584	----a-w-	c:\windows\system32\dxtmsft.dll
2014-09-20 05:15 . 2014-10-31 18:59	281600	----a-w-	c:\windows\system32\dxtrans.dll
2014-09-20 05:15 . 2014-10-31 18:58	1508864	----a-w-	c:\windows\system32\inetcpl.cpl
2014-09-20 03:57 . 2014-10-31 18:59	1762816	----a-w-	c:\windows\SysWow64\wininet.dll
2014-09-20 03:57 . 2014-10-31 18:59	2861568	----a-w-	c:\windows\SysWow64\jscript9.dll
2014-09-20 03:57 . 2014-10-31 18:58	61440	----a-w-	c:\windows\SysWow64\iesetup.dll
2014-09-20 03:57 . 2014-10-31 18:58	109056	----a-w-	c:\windows\SysWow64\iesysprep.dll
2014-09-20 03:56 . 2014-10-31 18:58	1440768	----a-w-	c:\windows\SysWow64\inetcpl.cpl
2014-09-20 03:38 . 2014-10-31 18:59	2706432	----a-w-	c:\windows\system32\mshtml.tlb
2014-09-20 03:33 . 2014-10-31 18:59	2706432	----a-w-	c:\windows\SysWow64\mshtml.tlb
2014-09-20 02:43 . 2014-10-31 18:58	89600	----a-w-	c:\windows\system32\RegisterIEPKEYs.exe
2014-09-20 02:35 . 2014-10-31 18:58	71680	----a-w-	c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-09-18 02:00 . 2014-10-31 19:00	3241472	----a-w-	c:\windows\system32\msi.dll
2014-09-18 01:32 . 2014-10-31 19:00	2363904	----a-w-	c:\windows\SysWow64\msi.dll
2014-09-13 18:59 . 2011-03-29 02:36	23256	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-09-13 01:58 . 2014-10-31 18:58	77312	----a-w-	c:\windows\system32\packager.dll
2014-09-13 01:40 . 2014-10-31 18:58	67072	----a-w-	c:\windows\SysWow64\packager.dll
2014-09-09 22:11 . 2014-10-31 18:59	2048	----a-w-	c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-10-31 18:59	2048	----a-w-	c:\windows\SysWow64\tzres.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2011-12-05 291096]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP CoolSense"="c:\program files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" [2012-11-05 1343904]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-05 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-09-07 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys;c:\windows\SYSNATIVE\DRIVERS\BrUsbSIb.sys [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys;c:\windows\SYSNATIVE\DRIVERS\motfilt.sys [x]
R3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys;c:\windows\SYSNATIVE\DRIVERS\motccgp.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys;c:\windows\SYSNATIVE\DRIVERS\Motousbnet.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys;c:\windows\SYSNATIVE\DRIVERS\motusbdevice.sys [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys;c:\windows\SYSNATIVE\drivers\NMgamingms.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\SyDvCtrl64.sys;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\SyDvCtrl64.sys [x]
R3 TrueService;TrueAPI Service component;c:\program files\Common Files\AuthenTec\TrueService.exe;c:\program files\Common Files\AuthenTec\TrueService.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys;c:\windows\SYSNATIVE\drivers\iusb3hcs.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMDS64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C0107DF\07DF.105\x64\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMEFA64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C0107DF\07DF.105\x64\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\BASHDefs\20141119.011\BHDrvx64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\BASHDefs\20141119.011\BHDrvx64.sys [x]
S1 ccSettings_{3771A34D-2132-48EA-A486-D62ECDF9D553};Symantec Endpoint Protection 12.1.2015.2015.105 Settings Manager;c:\windows\system32\Drivers\SEP\0C0107DF\07DF.105\x64\ccSetx64.sys;c:\windows\SYSNATIVE\Drivers\SEP\0C0107DF\07DF.105\x64\ccSetx64.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs\20141205.012\IDSvia64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Definitions\IPSDefs\20141205.012\IDSvia64.sys [x]
S1 NEOFLTR_7115_25271;Juniper Networks TDI Filter Driver (NEOFLTR_7115_25271);c:\windows\system32\Drivers\NEOFLTR_7115_25271.SYS;c:\windows\SYSNATIVE\Drivers\NEOFLTR_7115_25271.SYS [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C0107DF\07DF.105\x64\Ironx64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C0107DF\07DF.105\x64\Ironx64.SYS [x]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C0107DF\07DF.105\x64\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C0107DF\07DF.105\x64\SYMNETS.SYS [x]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass\TrueSuiteService.exe;c:\program files (x86)\HP SimplePass\TrueSuiteService.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [x]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys;c:\windows\SYSNATIVE\drivers\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys;c:\windows\SYSNATIVE\drivers\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 SmbDrv;SmbDrv;c:\windows\system32\drivers\Smb_driver.sys;c:\windows\SYSNATIVE\drivers\Smb_driver.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-28 21:23	1089352	----a-w-	c:\program files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-23 14:36]
.
2014-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-23 14:36]
.
2014-12-04 c:\windows\Tasks\HPCeeScheduleForMIKE-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 12:43]
.
2014-12-02 c:\windows\Tasks\HPCeeScheduleForMike.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 12:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-30 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-30 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-30 440600]
"SetDefault"="c:\program files\Hewlett-Packard\HP LaunchBox\SetDefault.exe" [2011-12-20 44880]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2013-08-15 1425408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-10-22 21720]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Open with PDF Viewer Plus - c:\program files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
TCP: DhcpNameServer = 10.59.0.1
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - c:\program files (x86)\Microsoft\SMIME Client (2010)\mimectl.dll
FF - ProfilePath - c:\users\..Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fm4cvs23.default\
FF - prefs.js: browser.startup.homepage - hxxp://g.msn.com/HPNOT/1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM_Wow6432Node-ActiveSetup-{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin64\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-05  19:44:07
ComboFix-quarantined-files.txt  2014-12-06 00:44
.
Pre-Run: 782,466,392,064 bytes free
Post-Run: 781,954,859,008 bytes free
.
- - End Of File - - 8B9576BECDA7D55B85991848B12E187D



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 08 December 2014 - 08:50 AM

Please show me the symantec log.

I need to see what exaclty is blocked.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 08 December 2014 - 09:58 AM

Here are some screen shots.  I'll send more as they pop up.  My computer worked well for about an hour after I ran Combofix.  However, after about an hour, I started getting new processes showing up and now I feel like I haven't gotten anywhere.  I feel like the virus/Trojan is morphing itself to keep under the radar.  I got latest Trojan just this afternoon when I logged on to send this reply.
 
I have been updating MBAM and NAV constantly and keeping my internet usage log.  I am feeling frustrated, so I appreciate your continued help.

 

 

Attached Files



#12 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 08 December 2014 - 06:42 PM

Here is the latest one for Trojan.Powelik activity....

Attached Files



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 09 December 2014 - 03:02 AM

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 10 December 2014 - 02:42 PM

I don't know if this makes sense, but my computer does not show any extraordinary processes running while I am logged in as the administrator.  I hope this means we are making progress.  Thank you for your continued assistance.

Attached Files



#15 Mike00Beth

Mike00Beth
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 16 December 2014 - 09:28 AM

Disregard my last post. I was painfully wrong. My computer is slowly getting worse. I am trying to be patient and wait for your next instruction(s). Please help.

Edited by Mike00Beth, 16 December 2014 - 09:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users