Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to use Combofix Antivirus Log Files ?


  • Please log in to reply
1 reply to this topic

#1 EsraPaksoy

EsraPaksoy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 20 March 2015 - 06:39 PM

Hi guys,

I have a problem with my usb memory viruses.I download combofix antivurus program.It scanned my computer and create a log file in local disc C. I didnt understand how can I use this file ?

Thank you so much.

 

ComboFix 15-03-14.03 - Esra Paksoy 21.03.2015   0:42.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1254.90.1055.18.2924.634 [GMT 2:00]
Running from: c:\users\Esra Paksoy\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Andy\HandyAndy.exe
c:\users\Esra Paksoy\AppData\Local\assembly\tmp
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2FD1AD80-0EF4-4ADC-AA72-8A38E82AC4B6}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3B9CDCD7-9E92-4C2D-92C8-0D3243D6ED96}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{50D8C097-5340-4378-B04C-B2F0343E2582}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BD56A05C-235D-4BF7-9FC0-FE4EB785B577}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BE35F0A9-61EE-44E1-9DA7-8559A34D2A4B}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DA824DFC-1769-407C-921D-3EA94A459B50}.xps
c:\users\Esra Paksoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\autoupdate.php
D:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-02-20 to 2015-03-20  )))))))))))))))))))))))))))))))
.
.
2015-03-20 23:03 . 2015-03-20 23:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
2015-03-20 22:14 . 2015-03-20 22:14 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{35B6081A-B5D5-429B-A7DA-5A9C2A32F27F}\offreg.dll
2015-03-20 22:08 . 2015-03-20 22:08 -------- d-----w- c:\program files (x86)\FreeCommander
2015-03-20 22:08 . 2015-03-20 22:08 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\FreeCommander
2015-03-20 20:21 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{35B6081A-B5D5-429B-A7DA-5A9C2A32F27F}\mpengine.dll
2015-03-19 22:12 . 2015-03-19 22:12 -------- d-----w- c:\windows\SysWow64\config\systemprofile\Oracle
2015-03-18 10:36 . 2015-03-18 10:37 -------- d-----w- c:\users\Esra Paksoy\Oracle
2015-03-18 10:31 . 2015-03-18 10:31 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
2015-03-18 10:29 . 2015-03-18 10:29 -------- d-----w- C:\oraclexe
2015-03-16 09:30 . 2015-03-16 09:30 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\Andy
2015-03-15 23:41 . 2015-03-15 23:41 101680 ----a-w- c:\windows\system32\drivers\zam64.sys
2015-03-15 23:41 . 2015-03-15 23:41 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
2015-03-15 23:41 . 2015-03-15 23:41 -------- d-----w- c:\users\Esra Paksoy\AppData\Local\Zemana
2015-03-14 15:22 . 2015-03-14 15:22 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\VisualParadigm
2015-03-13 20:29 . 2015-03-13 20:29 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\Subversion
2015-03-13 20:28 . 2015-03-16 16:52 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\SQL Developer
2015-03-13 19:58 . 2015-01-15 22:10 252296 ----a-w- c:\windows\system32\javaws.exe
2015-03-13 19:58 . 2015-01-15 22:10 188808 ----a-w- c:\windows\system32\javaw.exe
2015-03-13 19:58 . 2015-01-15 22:10 188808 ----a-w- c:\windows\system32\java.exe
2015-03-13 18:09 . 2015-03-13 18:09 -------- d-----w- c:\windows\system32\config\systemprofile\Oracle
2015-03-13 01:08 . 2015-03-13 01:08 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2015-03-11 16:05 . 2015-02-03 03:12 1005056 ----a-w- c:\windows\SysWow64\cryptui.dll
2015-03-11 16:04 . 2015-01-31 03:48 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2015-03-11 16:04 . 2015-01-31 03:48 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2015-03-11 16:04 . 2015-01-30 23:56 243200 ----a-w- c:\windows\system32\rdpudd.dll
2015-03-11 16:02 . 2015-01-17 02:48 1067520 ----a-w- c:\windows\system32\msctf.dll
2015-03-11 15:54 . 2015-02-04 03:16 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2015-03-11 15:54 . 2015-02-04 02:54 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2015-03-05 21:29 . 2015-03-13 18:07 -------- d-----w- c:\users\Esra Paksoy\AppData\Local\Genymobile
2015-03-05 14:07 . 2015-03-05 14:07 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\IsolatedStorage
2015-03-05 13:39 . 2015-03-05 13:39 -------- d-----w- c:\users\Esra Paksoy\.AndroidStudio
2015-03-05 13:30 . 2015-03-05 16:01 -------- d-----w- c:\users\Esra Paksoy\AppData\Local\Android
2015-03-05 13:29 . 2015-03-05 15:54 -------- d-----w- c:\program files\Android
2015-03-03 20:33 . 2015-01-09 03:14 91136 ----a-w- c:\windows\system32\wdi.dll
2015-03-03 20:33 . 2015-01-09 03:14 950272 ----a-w- c:\windows\system32\perftrack.dll
2015-03-03 20:33 . 2015-01-09 03:14 29696 ----a-w- c:\windows\system32\powertracker.dll
2015-03-03 20:33 . 2015-01-09 02:48 76800 ----a-w- c:\windows\SysWow64\wdi.dll
2015-03-02 18:42 . 2015-03-02 18:42 37888 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\Addins\DevExpress.Patch.Vsa.dll
2015-03-02 18:42 . 2015-03-02 18:42 37888 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\Addins\DevExpress.Patch.Vsa.dll
2015-03-02 18:12 . 2015-03-02 18:12 -------- d-----w- c:\program files (x86)\Common Files\DevExpress
2015-03-02 18:12 . 2015-03-02 19:18 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\DevExpress
2015-03-02 17:59 . 2015-03-02 17:59 -------- d-----w- c:\program files (x86)\DevExpress
2015-02-28 16:47 . 2015-03-01 10:09 -------- d-----w- c:\users\Esra Paksoy\AppData\Roaming\SmartDraw
2015-02-28 16:47 . 2015-02-28 16:47 -------- d-----w- c:\users\Esra Paksoy\AppData\Local\SmartDraw
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-19 22:11 . 2015-02-05 21:43 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2015-03-13 01:14 . 2014-07-17 07:43 122905848 ----a-w- c:\windows\system32\MRT.exe
2015-03-10 20:14 . 2015-02-05 16:38 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2015-03-10 20:14 . 2015-02-11 19:01 524624 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2015-03-06 18:44 . 2015-02-03 14:45 1929120 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\1033\ResourceCache.dll
2015-03-03 21:37 . 2015-02-11 20:02 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2015-02-24 01:17 . 2010-11-21 03:27 295552 ------w- c:\windows\system32\MpSigStub.exe
2015-02-22 11:06 . 2015-02-05 16:38 524624 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2015-02-17 13:26 . 2015-02-17 13:26 1217184 ----a-w- c:\windows\SysWow64\FM20.DLL
2015-02-11 11:38 . 2015-02-04 17:13 84448 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2015-02-05 15:25 . 2014-09-25 20:56 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-05 15:25 . 2014-09-25 20:56 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-05 15:25 . 2015-02-05 15:25 5070512 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2015-02-04 03:16 . 2015-02-11 13:09 609280 ----a-w- c:\windows\system32\generaltel.dll
2015-02-04 03:16 . 2015-02-11 13:09 762368 ----a-w- c:\windows\system32\invagent.dll
2015-02-04 03:16 . 2015-02-11 13:09 414720 ----a-w- c:\windows\system32\devinv.dll
2015-02-04 03:16 . 2015-02-11 13:09 894976 ----a-w- c:\windows\system32\appraiser.dll
2015-02-04 03:16 . 2015-02-11 13:09 227328 ----a-w- c:\windows\system32\aepdu.dll
2015-02-04 03:16 . 2015-02-11 13:09 192000 ----a-w- c:\windows\system32\aepic.dll
2015-02-04 03:13 . 2015-02-11 13:09 1098752 ----a-w- c:\windows\system32\aeinv.dll
2015-02-03 12:40 . 2014-10-30 23:57 1060512 ----a-w- c:\programdata\Microsoft\WDExpress\11.0\1033\ResourceCache.dll
2015-01-27 23:36 . 2015-02-11 13:09 1239720 ----a-w- c:\windows\system32\aitstatic.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify"="c:\users\Esra Paksoy\AppData\Roaming\Spotify\Spotify.exe" [2014-12-12 6737976]
"Spotify Web Helper"="c:\users\Esra Paksoy\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-12-12 1676344]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-11-14 20584608]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2014-03-04 3696912]
"Office Timeline Performance Helper"="c:\program files (x86)\Office Timeline\Current\OfficeTimelineStartup.exe" [2014-12-19 13056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2013-05-02 1282120]
.
c:\users\Esra Paksoy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Ekran Kırpıcı ve Başlatıcı.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe;c:\programdata\MobileBrServ\mbbservice.exe [x]
R2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;d:\app\EsraPaksoy\product\11.2.0\dbhome_1\BIN\TNSLSNR ;d:\app\EsraPaksoy\product\11.2.0\dbhome_1\BIN\TNSLSNR  [x]
R2 OracleServiceORCL;OracleServiceORCL;d:\app\esrapaksoy\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL;d:\app\esrapaksoy\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 c2wts;Claims to Windows Token Service;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 OracleJobSchedulerORCL;OracleJobSchedulerORCL;d:\app\esrapaksoy\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL;d:\app\esrapaksoy\product\11.2.0\dbhome_1\Bin\extjob.exe ORCL [x]
R3 OracleOraDb11g_home1ClrAgent;OracleOraDb11g_home1ClrAgent;d:\app\EsraPaksoy\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe;d:\app\EsraPaksoy\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe [x]
R3 OracleVssWriterORCL;Oracle ORCL VSS Writer Service;d:\app\esrapaksoy\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL;d:\app\esrapaksoy\product\11.2.0\dbhome_1\bin\OraVSSW.exe ORCL [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 Te.Service;Te.Service;c:\program files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe;c:\program files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;tsusbhub [x]
R4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\11.2.0\server\Bin\extjob.exe XE;c:\oraclexe\app\oracle\product\11.2.0\server\Bin\extjob.exe XE [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\11.2.0\server\bin\ORACLE.EXE XE;c:\oraclexe\app\oracle\product\11.2.0\server\bin\ORACLE.EXE XE [x]
S2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe;c:\oraclexe\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys;c:\windows\SYSNATIVE\DRIVERS\JME.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ   w3svc was
apphost REG_MULTI_SZ   apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-03-13 01:33 1061704 ----a-w- c:\program files (x86)\Google\Chrome\Application\41.0.2272.89\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-25 15:25]
.
2015-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-07-16 14:52]
.
2015-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-07-16 14:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-10 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-10 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-10 417560]
"Zemana AntiMalware"="c:\program files (x86)\Zemana AntiMalware\ZAM.exe" [2015-02-24 10340720]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mDefault_Search_URL = hxxp://search.netmahal.com/?bd=ds&oem=ntsvc&uid=ST9320325AS_6VDAYD59XXXX6VDAYD59&version=2.0.0.1288&pid=414031160&cs=b23cc085c20863fab37fc1fef42fd075&q={searchTerms}
mDefault_Page_URL = hxxp://www.netmahal.com/?bd=hp&oem=ntsvc&uid=ST9320325AS_6VDAYD59XXXX6VDAYD59&version=2.0.0.1288&pid=414031160&cs=b23cc085c20863fab37fc1fef42fd075
mStart Page = hxxp://www.netmahal.com/?bd=hp&oem=ntsvc&uid=ST9320325AS_6VDAYD59XXXX6VDAYD59&version=2.0.0.1288&pid=414031160&cs=b23cc085c20863fab37fc1fef42fd075
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://search.netmahal.com/?bd=ds&oem=ntsvc&uid=ST9320325AS_6VDAYD59XXXX6VDAYD59&version=2.0.0.1288&pid=414031160&cs=b23cc085c20863fab37fc1fef42fd075&q={searchTerms}
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Microsoft Excel'e &Ver - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: OneNote'a G&önder - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
FF - ProfilePath - c:\users\Esra Paksoy\AppData\Roaming\Mozilla\Firefox\Profiles\tjeyad1y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
user_pref(extensions.autoDisableScopes,14);
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Wow6432Node-HKCU-Run-CAHeadless - c:\program files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe
Wow6432Node-HKLM-Run-Andy - c:\program files\Andy\HandyAndy.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} - (no file)
ShellIconOverlayIdentifiers-{E056AFDD-03E9-4D73-8D33-8FCCBCA73438} - (value not set)
AddRemove-PCWHD - c:\progra~2\PICC\UNWISE.EXE
AddRemove-VOPackage - c:\users\Esra Paksoy\AppData\Roaming\VOPackage\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\OracleOraDb11g_home1ClrAgent]
"ImagePath"="d:\app\EsraPaksoy\product\11.2.0\dbhome_1\bin\OraClrAgnt.exe agent_sid=CLRExtProc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25 ENVS=\"EXTPROC_DLLS=ONLY:d:\app\EsraPaksoy\product\11.2.0\dbhome_1\bin\oraclr11.dll\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="d:\app\EsraPaksoy\product\11.2.0\dbhome_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.alb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="PhotoManager.9.alb"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.eps"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.gif"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.iff"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.pcd"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.png"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.tga"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.tif"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="MAGIXviewer.tiff"
.
[HKEY_USERS\S-1-5-21-996457554-3539074267-3233923954-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%_*C*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-996457554-3539074267-3233923954-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%_*C*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-996457554-3539074267-3233923954-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*€%€%¾*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-996457554-3539074267-3233923954-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*€%€%¾*\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-03-21  01:12:06
ComboFix-quarantined-files.txt  2015-03-20 23:12
.
Pre-Run: 14.019.534.848 bytes free
Post-Run: 17.650.917.376 bytes free
.
- - End Of File - - 1EF4B42518CE83321C4D0E8F9D13663C
A36C5E4F47E84449FF07ED3517B43A31
 


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:30 PM

Posted 20 March 2015 - 09:15 PM

EsraPaksoy,

 

Is the issue that your usb memory drive is infected? If so, ComboFix is not the program to start with.

 

Can you provide more information about the USB drive, and what is happening with it?

 

Thanks!


Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users