Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome infected with startnow on launch


  • This topic is locked This topic is locked
2 replies to this topic

#1 lakerswiz

lakerswiz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 11 May 2015 - 01:06 PM

ComboFix 15-05-09.01 - The Furniture King 05/11/2015  10:41:48.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3838.1602 [GMT -7:00]
Running from: c:\users\The Furniture King\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\aappsavee
c:\program files (x86)\aappsavee\II3b8buEnKfe6k.dat
c:\program files (x86)\aappsavee\II3b8buEnKfe6k.dll
c:\program files (x86)\aappsavee\II3b8buEnKfe6k.tlb
c:\program files (x86)\aappsavee\II3b8buEnKfe6k.x64.dll
c:\program files (x86)\freeE2you
c:\program files (x86)\freeE2you\8qd27T7ThSbYjZ.dat
c:\program files (x86)\freeE2you\8qd27T7ThSbYjZ.dll
c:\program files (x86)\freeE2you\8qd27T7ThSbYjZ.tlb
c:\program files (x86)\freeE2you\8qd27T7ThSbYjZ.x64.dll
c:\programdata\600635201266103939
c:\programdata\600635201266103939\c82ba59a4fab6da9cb26a1a0654f9cbc.ini
c:\programdata\600635201266103939\cba7e870448052accb26a1a0654f9cbc.ini
c:\programdata\600635201266103939\d7285e57b7aa3050cb26a1a0654f9cbc.ini
c:\programdata\600635201266103939\f91231144eed7931cb26a1a0654f9cbc.ini
c:\users\The Furniture King\AppData\Local\assembly\tmp
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka\119\background.html
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka\119\content.js
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka\119\lsdb.js
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka\119\manifest.json
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Extensions\aalnjolghjkkogicompabhhbbkljnlka\119\xX.js
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_aalnjolghjkkogicompabhhbbkljnlka_0.localstorage-journal
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_aalnjolghjkkogicompabhhbbkljnlka_0.localstorage
c:\users\The Furniture King\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\extensions\BAsn@r.net
c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\extensions\BAsn@r.net\bootstrap.js
c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\extensions\BAsn@r.net\chrome.manifest
c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\extensions\BAsn@r.net\content\bg.js
c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\extensions\BAsn@r.net\install.rdf
.
.
(((((((((((((((((((((((((   Files Created from 2015-04-11 to 2015-05-11  )))))))))))))))))))))))))))))))
.
.
2015-05-11 17:51 . 2015-05-11 17:51 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2015-05-11 17:51 . 2015-05-11 17:51 -------- d-----w- c:\users\The Furniture King\AppData\Local\temp
2015-05-11 17:51 . 2015-05-11 17:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-05-11 16:56 . 2015-05-11 16:56 -------- d-----w- c:\users\The Furniture King\AppData\Local\CrashDumps
2015-05-11 16:52 . 2015-05-11 17:19 -------- d-----w- c:\program files (x86)\Context
2015-05-11 15:34 . 2015-05-11 15:34 -------- d-----w- c:\users\The Furniture King\AppData\Roaming\SUPERAntiSpyware.com
2015-05-11 15:34 . 2015-05-11 17:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2015-05-11 15:34 . 2015-05-11 15:34 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2015-05-11 08:50 . 2015-05-11 08:50 79 ----a-w- c:\program files (x86)\prefs.js
2015-05-11 08:29 . 2015-05-11 08:29 -------- d-----w- c:\program files (x86)\SegmentProlonger
2015-05-08 09:28 . 2015-04-04 06:25 12032440 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3231595E-0055-4C5D-8572-A30A6B5D385D}\mpengine.dll
2015-05-04 19:34 . 2015-05-04 19:34 -------- d-----w- C:\found.001
2015-04-20 17:52 . 2015-05-11 08:30 -------- d-----w- c:\programdata\62ff6160000023a4
2015-04-20 17:50 . 2015-04-20 17:50 -------- d-----w- c:\programdata\COMODO
2015-04-20 17:49 . 2015-04-20 17:49 -------- d-----w- c:\users\The Furniture King\AppData\Local\Spoon
2015-04-20 17:46 . 2015-04-20 17:46 -------- d-----w- c:\users\The Furniture King\AppData\Roaming\Free Picture Solutions
2015-04-20 17:46 . 2015-05-04 19:10 -------- d-----w- c:\program files (x86)\360
2015-04-20 17:46 . 2015-04-20 17:52 -------- d-----w- c:\program files (x86)\Super Optimizer
2015-04-20 17:45 . 2015-05-11 17:11 -------- d-----w- c:\programdata\{320d61bb-e06a-8468-320d-d61bbe0686ef}
2015-04-20 17:45 . 2015-04-20 17:45 -------- d-----w- c:\program files (x86)\Free Downloads
2015-04-15 10:01 . 2015-03-05 02:23 57344 ----a-w- c:\windows\SysWow64\clfsw32.dll
2015-04-15 10:01 . 2015-03-05 02:14 360384 ----a-w- c:\windows\system32\clfs.sys
2015-04-15 10:01 . 2015-03-05 01:58 77824 ----a-w- c:\windows\system32\clfsw32.dll
2015-04-15 10:01 . 2015-03-09 01:01 1249280 ----a-w- c:\windows\SysWow64\msxml3.dll
2015-04-15 10:01 . 2015-03-09 00:40 1869824 ----a-w- c:\windows\system32\msxml3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-15 10:02 . 2006-11-02 12:35 128913832 ----a-w- c:\windows\system32\mrt.exe
2015-04-15 03:57 . 2012-04-02 21:23 778416 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-04-15 03:57 . 2011-07-13 14:45 142512 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-03-13 01:43 . 2015-04-15 10:12 43008 ----a-w- c:\windows\apppatch\acwow64.dll
2015-03-06 04:01 . 2015-03-11 10:00 279040 ----a-w- c:\windows\SysWow64\schannel.dll
2015-03-06 03:35 . 2015-03-11 10:00 347136 ----a-w- c:\windows\system32\schannel.dll
2015-02-26 00:31 . 2015-03-11 10:10 2792960 ----a-w- c:\windows\system32\win32k.sys
2015-02-24 11:17 . 2009-10-03 04:40 295552 ------w- c:\windows\system32\MpSigStub.exe
2015-02-20 02:03 . 2015-03-11 10:12 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2015-02-20 01:44 . 2015-03-11 10:12 48128 ----a-w- c:\windows\system32\atmlib.dll
2015-02-20 00:39 . 2015-03-11 10:12 372224 ----a-w- c:\windows\system32\atmfd.dll
2015-02-20 00:28 . 2015-03-11 10:12 296960 ----a-w- c:\windows\SysWow64\atmfd.dll
2015-02-18 01:42 . 2015-03-11 10:09 12899840 ----a-w- c:\windows\system32\shell32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-10-08 17:07 233128 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-10-08 17:07 233128 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-10-08 17:07 233128 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2015-03-25 7806232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"Trigger New Acer AlaunchX"="c:\acer\Preload\Command\AlaunchX\AppInRun.exe" [2008-07-17 8192]
"Smart Copy"="c:\program files (x86)\IOI\Smart Copy\ButtonMonitor.exe" [2008-05-21 53248]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"New Acer AlaunchX"="c:\acer\Preload\Command\AlaunchX\LaunchAlaunchX.exe" [2008-07-17 200704]
.
c:\users\The Furniture King\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
hqghumeaylnlf.lnk - c:\programdata\{320d61bb-e06a-8468-320d-d61bbe0686ef}\hqghumeaylnlf.exe /startup [2014-4-20 6368728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-5 113664]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R1 360FsFlt;360FsFlt mini-filter driver;c:\windows\system32\DRIVERS\360FsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\360FsFlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ   getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-30 12:23 988488 ----a-w- c:\program files (x86)\Google\Chrome\Application\42.0.2311.135\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 03:57]
.
2015-05-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-13 06:36]
.
2015-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-02-11 18:02]
.
2015-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-02-11 18:02]
.
2015-05-11 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 6aa3ab87-c092-4723-9fc8-de110ca36541.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
2015-05-11 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task cfe43547-40fb-4fac-8855-c56f6bba0983.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-10-08 17:07 260776 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-10-08 17:07 260776 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-10-08 17:07 260776 ----a-w- c:\users\The Furniture King\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-19 6453760]
"Skytel"="Skytel.exe" [2008-07-19 1826816]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_ir_15_17&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1QzutDtDtBtCzzyDyCzy0ByEtAtByE0EtCtCtN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StCtBtB0A0F0BtCyCtGtBtBtDyEtGyCyC0AyDtGyC0EtBtBtGyBtD0FyD0FyCtA0BtA0ByDtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtD0F0FtA0EzyyCtGyDtCyByBtGyEtDyByEtG0A0ByDyDtGyByE0FyD0E0FtCtC0DtA0F0F2QtN0A0LzuyE%26cr%3D1264801107%26a%3Dwny_ir_15_17%26os%3DWindows ™ Vista Home Premium
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0808&m=dx4720-03
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\The Furniture King\AppData\Roaming\Mozilla\Firefox\Profiles\9ayawng7.default-1373304727697\
FF - prefs.js: browser.startup.homepage - hxxp://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_ir_15_17&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1QzutDtDtBtCzzyDyCzy0ByEtAtByE0EtCtCtN0D0Tzu0StCtBtDyDtN1L2XzutAtFzytFzztFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StCtBtB0A0F0BtCyCtGtBtBtDyEtGyCyC0AyDtGyC0EtBtBtGyBtD0FyD0FyCtA0BtA0ByDtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCtD0F0FtA0EzyyCtGyDtCyByBtGyEtDyByEtG0A0ByDyDtGyByE0FyD0E0FtCtC0DtA0F0F2QtN0A0LzuyE%26cr%3D1264801107%26a%3Dwny_ir_15_17%26os%3DWindows ™ Vista Home Premium
FF - ExtSQL: !HIDDEN! 2009-09-02 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2010-08-16 07:46; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-eRecoveryService - (no file)
Wow6432Node-HKLM-Run-hpqSRMon - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
Completion time: 2015-05-11  10:55:45
ComboFix-quarantined-files.txt  2015-05-11 17:55
.
Pre-Run: 406,894,743,552 bytes free
Post-Run: 417,707,675,648 bytes free
.
- - End Of File - - 295D4B47195EF432BEA277D996759B7A
B751AF1ACDDD7A1A71313731839F4ECB
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 16 May 2015 - 07:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running?
Wait for further instructions.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:45 PM

Posted 21 May 2015 - 07:00 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users