Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Combofix log. Hidden malware! please help.


  • This topic is locked This topic is locked
3 replies to this topic

#1 combofix432

combofix432

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 August 2015 - 03:12 AM

Hi guys, i have been trying to remove  malware from my computer that i suspect has been infected for over a year. the operating system is upgraded windows 8.1. since i wanted to run comboxfix, i restored it to windows 8 using the factory setting and at the same time keeping all my files.

 

then i began running tsdkiller, rkill, combofix, roguekiller, malwarebytes anti malware, hitmanpro, eset online scanner, emsisoft emergency kit in the above order. i restarted the computer after runing combofix which turn out to be difficult because all of a sudden the restart button stoped working. it said epowerbutton.exe not working. so i used win+i to get to another restart button to restart it. nothing was found after all of this. hitmanpro found the most by finding cookies in my web browser.  this made me very suspicious knowing that the pc has been infected for over a year.

 

 when i looked at the combofix log, it says locked registery keys that are hard for me to recognize if it is legit or not. i even became more suspicious when i run GMER rootkit , it says ''C:\WINDOWS\system32\config\system:The process cannot access the file because it is being used by another process''. then after i press ok it continues to scan but when i press stop it says the same thing again and also  ''C:\user\selam\ntuser.dat.The process cannot access the file because it is being used by another process''.

 

when i use GMER on my other clean computer none of this happens! it works perfectly and nothing happens. i dont want to throw this pc so please help. i will post the combofix log below. some of the headers is in swedish but everything else is in english. thank you for your support!



BC AdBot (Login to Remove)

 


#2 combofix432

combofix432
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 06 August 2015 - 03:14 AM

here is the combofix log:-

 

ComboFix 15-08-03.01 - selam 2015-08-05  23:11:07.2.2 - x64
Microsoft Windows 8  6.2.9200.0.1252.46.1053.18.3911.1426 [GMT 2:00]
Körs från: c:\users\selam\Desktop\ComboFix.exe
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((   Filer skapade från 2015-07-05 till 2015-08-05  ))))))))))))))))))))))))))))))
.
.
2015-08-05 21:17 . 2015-08-05 21:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-08-05 21:17 . 2015-08-05 21:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2015-08-05 20:52 . 2015-08-05 20:53 113880 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-08-05 20:52 . 2015-08-05 20:52 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-08-05 20:52 . 2015-08-05 20:52 -------- d-----w- c:\programdata\Malwarebytes
2015-08-05 20:52 . 2015-06-18 06:42 64216 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-08-05 20:52 . 2015-06-18 06:41 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-08-05 20:52 . 2015-06-18 06:41 109272 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-08-05 20:25 . 2015-08-05 20:25 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-08-05 20:24 . 2015-08-05 20:25 -------- d-----w- c:\program files\RogueKiller
2015-08-05 20:21 . 2015-08-05 21:09 -------- d-----w- c:\programdata\RogueKiller
2015-08-05 19:51 . 2015-08-05 19:52 -------- d-----w- c:\program files (x86)\Google
2015-08-05 19:42 . 2015-08-05 19:42 -------- d-----w- C:\Windows.old
2015-08-05 19:14 . 2015-08-05 19:14 -------- d-----w- C:\$WINDOWS.~BT
2015-08-05 18:57 . 2015-08-05 18:57 -------- d-----w- c:\program files\Preload
2015-08-05 18:54 . 2015-08-05 18:54 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2015-08-05 18:45 . 2015-08-05 18:57 -------- d-----w- c:\users\selam
2015-08-05 18:11 . 2015-08-05 19:13 -------- d-----w- C:\$SysReset
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RadioController"="c:\program files (x86)\RadioController\RfBtnHelper.exe" [2013-01-05 111216]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2012-08-15 2994880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLinkedConnections"= 1 (0x1)
.
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 DeviceFastLaneService;Device Fast-lane Service;c:\program files\Packard Bell\Packard Bell Device Fast-lane\DeviceFastLaneSvc.exe;c:\program files\Packard Bell\Packard Bell Device Fast-lane\DeviceFastLaneSvc.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S1 ccSet_NARA;NARA Settings Manager;c:\windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NARAx64\0401000.00E\ccSetx64.sys [x]
S2 BrcmCardReader;Broadcom Card Reader Service;c:\program files\Broadcom\MemoryCard\BrcmCardReader.exe;c:\program files\Broadcom\MemoryCard\BrcmCardReader.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RfButtonDriverService;Dritek RF Button Command Service;c:\windows\RfBtnSvc64.exe;c:\windows\RfBtnSvc64.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;c:\program files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe;c:\program files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\System32\drivers\b57xdbd.sys;c:\windows\SYSNATIVE\drivers\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\System32\drivers\b57xdmp.sys;c:\windows\SYSNATIVE\drivers\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\System32\drivers\bScsiMSa.sys;c:\windows\SYSNATIVE\drivers\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\System32\drivers\bScsiSDa.sys;c:\windows\SYSNATIVE\drivers\bScsiSDa.sys [x]
S3 ePowerSvc;ePower Service;c:\program files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe;c:\program files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe [x]
S3 IntcDAud;Intel® bildskärmsljud;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 Ps2Kb2Hid;PS/2 Keyboard to HID Driver;c:\windows\System32\drivers\aPs2Kb2Hid.sys;c:\windows\SYSNATIVE\drivers\aPs2Kb2Hid.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-08-05 19:52 995144 ----a-w- c:\program files (x86)\Google\Chrome\Application\44.0.2403.130\Installer\chrmstp.exe
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2015-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-08-05 19:51]
.
2015-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-08-05 19:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-10-23 171040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-10-23 399392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-10-23 441888]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Hash"="q9KT0+CEC6w="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Hash"="0dIuO5Ak4Oo="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Hash"="cL/qY1bi3hs="
"ProgId"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Hash"="FzRsN8mbIQ4="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (Administrator)
"Hash"="0KaxvpfcWRU="
"ProgId"="AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adt\UserChoice]
@Denied: (2) (Administrator)
"Hash"="7mdgI9/e0hg="
"ProgId"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adts\UserChoice]
@Denied: (2) (Administrator)
"Hash"="G9nahOsCoE8="
"ProgId"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Hash"="ZWytlCBndB0="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Hash"="V1FeuxvOaoc="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (Administrator)
"Hash"="I476ntToR6o="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Hash"="KVcfBr82iRc="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (Administrator)
"Hash"="i0cJvH51OFQ="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (Administrator)
"Hash"="6f4BdFbhSqI="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (Administrator)
"Hash"="l98DBTss6c4="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Hash"="CoA7KvX1TNI="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Hash"="EWlkXMQm2FE="
"ProgId"="AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Hash"="gWuD94h5emA="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Hash"="qNS63XtndQY="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP2\UserChoice]
@Denied: (2) (Administrator)
"Hash"="tenwYC+caa4="
"ProgId"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Hash"="F94sU8LCs+k="
"ProgId"="AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Hash"="ozv7qux92qI="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Hash"="gEHnzMzRZ5A="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Hash"="lsd3+lVBkZo="
"ProgId"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MPE\UserChoice]
@Denied: (2) (Administrator)
"Hash"="BUpWo+JQ2Bw="
"ProgId"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Hash"="LAOvAofpfcU="
"ProgId"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Hash"="+b5b+WR/Uog="
"ProgId"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Hash"="kl+bVvaWgPw="
"ProgId"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.oxps\UserChoice]
@Denied: (2) (Administrator)
"Hash"="MEEBr+fQaYc="
"ProgId"="AppX86746z2101ayy2ygv3g96e4eqdf8r99j"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]
@Denied: (2) (Administrator)
"Hash"="d+Ha/TVnbX4="
"ProgId"="AppX86746z2101ayy2ygv3g96e4eqdf8r99j"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (Administrator)
"Hash"="NsQEdqjYxEM="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (Administrator)
"Hash"="Nl5gNuiwnFc="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (Administrator)
"Hash"="zCgo0t4ujRI="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice]
@Denied: (2) (Administrator)
"Hash"="9NIpss4ND0w="
"ProgId"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice]
@Denied: (2) (Administrator)
"Hash"="k+rCXVdE1DU="
"ProgId"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Hash"="+Mc1gggXWsA="
"ProgId"="AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\UserChoice]
@Denied: (2) (Administrator)
"Hash"="/bygC4LU0EE="
"ProgId"="AppX9vdwcvrwnbettpahnt26jswq0n8hgyah"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Hash"="J3qD36jOy60="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Hash"="dYkM5N7Dyc4="
"ProgId"="AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Hash"="9HOHq/Vy7uE="
"ProgId"="AppXhjhjmgrfm2d7rd026az898dy2p1pcsyt"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice]
@Denied: (2) (Administrator)
"Hash"="+xYdTDj2kU4="
"ProgId"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-533003946-2387135784-3296583122-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xps\UserChoice]
@Denied: (2) (Administrator)
"Hash"="SqGoKgp0M3k="
"ProgId"="AppX86746z2101ayy2ygv3g96e4eqdf8r99j"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Sluttid: 2015-08-05  23:27:00
ComboFix-quarantined-files.txt  2015-08-05 21:26
ComboFix2.txt  2015-08-05 20:19
.
Före genomsökningen: 349 875 494 912 bytes free
Efter genomsökningen: 349 824 364 544 bytes free
.
- - End Of File - - 89EAB8DF89D0E09BCA6E7A0309B66625


#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 07 August 2015 - 11:16 AM

Greetings,

Since you posted the same issue at http://www.computerforum.com/threads/suspicious-combofix-log-please-help.235334/ and are receiving help I am going to close this Topic.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 07 August 2015 - 11:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users