Jump to content

Malwarebytes

PING.exe Virus

- - - - -
Started by Bizong, Feb 08 2012 02:07 AM


28 replies to this topic

#1
Bizong
Posted 08 February 2012 - 02:07 AM

    New Member

  • Members
  • Pip
  • 14 posts
Ping.exe keeps starting up even though I keep terminating it with the Task Manager. Also had a "9 News Today" pop up a lot on Firefox
Attached are the DDS and Attach.txt

Attached Files


#2
Elise
Posted 08 February 2012 - 02:48 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Please read the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#3
Bizong
Posted 08 February 2012 - 02:40 PM

    New Member

  • Members
  • Pip
  • 14 posts
I would like to proceed with the cleanup, and I'd like to thank you in advance for taking the time to help me get rid of this.


ComboFix 12-02-08.02 - Christian 02/08/2012 14:25:08.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.4083 [GMT -5:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Christian\AppData\Local\._Revolution_
c:\users\Christian\AppData\Local\assembly\tmp
c:\users\Christian\AppData\Roaming\inst.exe
c:\users\Christian\AppData\Roaming\vso_ts_preview.xml
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-08 19:32 . 2012-02-08 19:32 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-02-08 19:32 . 2012-02-08 19:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-08 05:24 . 2012-02-08 05:24 -------- d-----w- c:\users\Christian\AppData\Local\BigHugeEngine
2012-02-08 05:22 . 2012-02-08 19:33 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-08 05:14 . 2012-02-08 05:14 -------- d-----w- c:\program files (x86)\EA Games
2012-02-07 21:45 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF312B06-E1F5-4F89-A0ED-C0E528BE8616}\mpengine.dll
2012-02-05 22:29 . 2012-02-06 01:46 -------- d-----w- c:\program files (x86)\World of Warcraft
2012-02-03 09:29 . 2012-02-03 09:29 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-03 09:29 . 2012-02-03 09:29 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-02 08:28 . 2012-02-02 09:03 -------- d-----w- c:\users\Christian\AppData\Roaming\DMCache
2012-02-02 08:28 . 2012-02-02 08:28 -------- d-----w- c:\program files (x86)\Internet Download Manager
2012-02-01 01:43 . 2012-02-08 07:36 -------- d-----w- c:\users\Christian\AppData\Local\Unity
2012-01-26 22:46 . 2012-01-26 23:36 -------- dc----w- c:\windows\system32\DRVSTORE
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\program files\Common Files\Apple
2012-01-25 01:55 . 2010-11-17 02:24 750440 ------w- c:\windows\system32\HPDiscoPM9311.dll
2012-01-25 01:55 . 2012-01-25 07:53 -------- d-----w- c:\programdata\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files (x86)\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files\HP
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\users\Christian\AppData\Local\BIT.TRIP RUNNER
2012-01-22 01:34 . 2012-01-22 01:34 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\program files (x86)\OpenAL
2012-01-18 22:50 . 2012-01-18 23:03 -------- d-----w- c:\users\Christian\.android
2012-01-18 22:50 . 2012-01-18 22:50 -------- d-----w- c:\program files (x86)\Android
2012-01-18 22:49 . 2012-02-08 19:18 -------- d-----w- c:\users\Christian\AppData\Local\Htc
2012-01-18 22:49 . 2012-01-18 22:49 -------- d-----w- c:\program files\Oracle
2012-01-18 22:49 . 2012-01-18 23:33 -------- d-----w- c:\users\Christian\AppData\Roaming\HTC
2012-01-18 22:47 . 2011-11-09 00:40 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-18 22:47 . 2011-11-09 00:40 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 22:47 . 2012-01-18 22:49 -------- d-----w- c:\program files\Java
2012-01-18 22:44 . 2012-01-18 23:22 -------- d-----w- C:\android
2012-01-18 22:16 . 2012-01-18 22:16 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-18 22:16 . 2012-01-18 22:49 -------- d-----w- c:\program files (x86)\HTC
2012-01-11 20:57 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 20:57 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 20:57 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 20:57 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-11 20:57 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 20:57 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 09:36 . 2012-02-02 21:12 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-11 09:36 . 2012-01-11 09:36 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-11 09:36 . 2012-01-11 09:36 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-11 09:36 . 2012-01-11 09:36 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 05:52 . 2010-02-16 11:13 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-02 08:12 . 2010-04-16 07:54 850152 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe
2011-12-10 20:24 . 2010-11-19 03:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:52 . 2011-12-15 01:16 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 19:03 . 2011-10-02 20:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2011-06-01 1949088]
"Akamai NetSession Interface"="c:\users\Christian\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-01-24 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Razer Lachesis Driver"="c:\program files (x86)\Razer\Lachesis 5600\LachesisSysTray.exe" [2010-12-02 760720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"LUTManager"="c:\program files (x86)\LUT Manager\LUTManager.exe" [2008-02-06 319488]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files (x86)\Xfire\Xfire.exe [2012-2-3 3530136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2011-12-02 8704]
R3 ALSysIO;ALSysIO;c:\users\CHRIST~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz130;cpuz130;c:\users\CHRIST~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-08-15 130976]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 Gun;Gun;c:\windows\system32\Gun64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Christian\Documents\Real Temp\WinRing0x64.sys [2008-07-27 14544]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 cmudaxp;ASUS Xonar Essence STX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-30 8151040]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
"SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\soundmax.exe" [2009-05-18 3866624]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"combofix"="c:\combofix\CF29615.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dlaudf_m
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{95E47232-8A90-465D-8DBF-E21C0421A46A}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\1tnvxjn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2747244&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.reddit.com/r/all
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
Wow6432Node-HKLM-Run-BrMfcWnd - c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-dBpoweramp CD Writer - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp DSP Effects - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp m4a Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Windows Media Audio 10 Codec - c:\windows\system32\SpoonUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088636791-3136549013-2296628263-1001\Software\SecuROM\License information*]
"datasecu"=hex:5e,09,26,c7,7e,c5,30,6a,59,a0,26,4a,9a,13,99,cd,8e,64,56,be,11,
f1,f8,59,a9,c2,a4,dd,c2,81,e9,87,ee,a0,10,29,fc,5e,80,98,3d,07,3e,45,66,40,\
"rkeysecu"=hex:35,8b,48,80,7c,cc,7e,32,ab,b4,aa,49,da,0a,42,ee
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files\ASUS Xonar Essence STX Audio\Customapp\ASUSAUDIOCENTER.EXE
.
**************************************************************************
.
Completion time: 2012-02-08 14:39:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-08 19:39
.
Pre-Run: 522,622,361,600 bytes free
Post-Run: 523,177,529,344 bytes free
.
- - End Of File - - DCDD9FA162B04A2B9F737864ECA35CFF

#4
Elise
Posted 08 February 2012 - 03:18 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Hi again, it appears we are dealing with a newer rootkit version which has an extra layer of protection.

We Need to Run a Batch Script

  • Press the Windows Logo in the bottom left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    @echo off
regedit /e "%userprofile%\desktop\export.txt" "hkey_local_machine\system\currentcontrolset\services\dlaudf_m"
start "%userprofile%\desktop\export.txt"
del %0
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.bat.
  • Press Posted Image.
  • Close Notepad.
  • Right click Posted Image on your desktop, and choose Posted Image.
  • Press Yes if prompted by User Account Control.
When finished a log called export.txt will open, please copy its contents in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#5
Bizong
Posted 08 February 2012 - 03:24 PM

    New Member

  • Members
  • Pip
  • 14 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dlaudf_m]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Agpcpq"
"ObjectName"="LocalSystem"
"Description"=hex(2):41,00,67,00,70,00,63,00,70,00,71,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\dlaudf_m\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6c,00,69,00,63,00,65,00,6e,00,73,00,65,00,73,00,65,00,72,00,76,00,69,00,63,\
00,65,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

#6
Elise
Posted 08 February 2012 - 03:30 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Please go to http://www.virustotal.com and upload the following file: c:\windows\system32\licenseservice.dll

Please link me to the VT scan results.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#7
Bizong
Posted 08 February 2012 - 03:36 PM

    New Member

  • Members
  • Pip
  • 14 posts
https://www.virustot...sis/1328733345/

#8
Elise
Posted 08 February 2012 - 03:49 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Lets see if we can now remove it. :)

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
NetSvc::
dlaudf_m

Driver::
dlaudf_m

Rootkit::
c:\windows\system32\licenseservice.dll
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#9
Bizong
Posted 08 February 2012 - 04:09 PM

    New Member

  • Members
  • Pip
  • 14 posts
ComboFix 12-02-08.02 - Christian 02/08/2012 15:54:34.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.3822 [GMT -5:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
Command switches used :: c:\users\Christian\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\cfg.ini
c:\windows\SysWow64\config\systemprofile\appdata\roaming\adobe\sp.Dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_dlaudf_m
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-08 21:00 . 2012-02-08 21:00 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-02-08 21:00 . 2012-02-08 21:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-08 05:24 . 2012-02-08 05:24 -------- d-----w- c:\users\Christian\AppData\Local\BigHugeEngine
2012-02-08 05:22 . 2012-02-08 19:33 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-08 05:14 . 2012-02-08 05:14 -------- d-----w- c:\program files (x86)\EA Games
2012-02-07 21:45 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF312B06-E1F5-4F89-A0ED-C0E528BE8616}\mpengine.dll
2012-02-05 22:29 . 2012-02-06 01:46 -------- d-----w- c:\program files (x86)\World of Warcraft
2012-02-03 09:29 . 2012-02-03 09:29 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-03 09:29 . 2012-02-03 09:29 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-02 08:28 . 2012-02-02 09:03 -------- d-----w- c:\users\Christian\AppData\Roaming\DMCache
2012-02-02 08:28 . 2012-02-02 08:28 -------- d-----w- c:\program files (x86)\Internet Download Manager
2012-02-01 01:43 . 2012-02-08 07:36 -------- d-----w- c:\users\Christian\AppData\Local\Unity
2012-01-26 22:46 . 2012-01-26 23:36 -------- dc----w- c:\windows\system32\DRVSTORE
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\program files\Common Files\Apple
2012-01-25 01:55 . 2010-11-17 02:24 750440 ------w- c:\windows\system32\HPDiscoPM9311.dll
2012-01-25 01:55 . 2012-01-25 07:53 -------- d-----w- c:\programdata\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files (x86)\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files\HP
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\users\Christian\AppData\Local\BIT.TRIP RUNNER
2012-01-22 01:34 . 2012-01-22 01:34 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\program files (x86)\OpenAL
2012-01-18 22:50 . 2012-01-18 23:03 -------- d-----w- c:\users\Christian\.android
2012-01-18 22:50 . 2012-01-18 22:50 -------- d-----w- c:\program files (x86)\Android
2012-01-18 22:49 . 2012-02-08 19:18 -------- d-----w- c:\users\Christian\AppData\Local\Htc
2012-01-18 22:49 . 2012-01-18 22:49 -------- d-----w- c:\program files\Oracle
2012-01-18 22:49 . 2012-01-18 23:33 -------- d-----w- c:\users\Christian\AppData\Roaming\HTC
2012-01-18 22:47 . 2011-11-09 00:40 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-18 22:47 . 2011-11-09 00:40 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 22:47 . 2012-01-18 22:49 -------- d-----w- c:\program files\Java
2012-01-18 22:44 . 2012-01-18 23:22 -------- d-----w- C:\android
2012-01-18 22:16 . 2012-01-18 22:16 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-18 22:16 . 2012-01-18 22:49 -------- d-----w- c:\program files (x86)\HTC
2012-01-11 20:57 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 20:57 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 20:57 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 20:57 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-11 20:57 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 20:57 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 09:36 . 2012-02-02 21:12 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-11 09:36 . 2012-01-11 09:36 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-11 09:36 . 2012-01-11 09:36 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-11 09:36 . 2012-01-11 09:36 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 05:52 . 2010-02-16 11:13 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-02 08:12 . 2010-04-16 07:54 850152 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe
2011-12-10 20:24 . 2010-11-19 03:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:52 . 2011-12-15 01:16 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 19:03 . 2011-10-02 20:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-08_19.33.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-08 05:33 . 2012-02-08 20:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-02-08 05:33 . 2012-02-08 06:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-02-08 06:05 . 2012-02-08 20:07 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 06:05 . 2012-02-08 06:34 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 05:33 . 2012-02-08 06:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-02-08 05:33 . 2012-02-08 20:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-02-16 13:53 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 13:53 . 2012-02-08 19:33 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 11:27 . 2012-02-08 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-08 19:33 . 2012-02-08 19:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-08 21:02 . 2012-02-08 21:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 229376 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 704512 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:01 . 2012-02-08 19:32 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-08 21:01 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:31 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 01:45 . 2012-02-08 21:01 37393812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1088636791-3136549013-2296628263-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2011-06-01 1949088]
"Akamai NetSession Interface"="c:\users\Christian\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-01-24 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Razer Lachesis Driver"="c:\program files (x86)\Razer\Lachesis 5600\LachesisSysTray.exe" [2010-12-02 760720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"LUTManager"="c:\program files (x86)\LUT Manager\LUTManager.exe" [2008-02-06 319488]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files (x86)\Xfire\Xfire.exe [2012-2-3 3530136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2011-12-02 8704]
R3 ALSysIO;ALSysIO;c:\users\CHRIST~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz130;cpuz130;c:\users\CHRIST~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-08-15 130976]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 Gun;Gun;c:\windows\system32\Gun64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Christian\Documents\Real Temp\WinRing0x64.sys [2008-07-27 14544]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 cmudaxp;ASUS Xonar Essence STX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-30 8151040]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"combofix"="c:\combofix\CF14527.3XE" [2010-11-20 345088]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dlaudf_m
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{95E47232-8A90-465D-8DBF-E21C0421A46A}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\1tnvxjn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2747244&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.reddit.com/r/all
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088636791-3136549013-2296628263-1001\Software\SecuROM\License information*]
"datasecu"=hex:5e,09,26,c7,7e,c5,30,6a,59,a0,26,4a,9a,13,99,cd,8e,64,56,be,11,
f1,f8,59,a9,c2,a4,dd,c2,81,e9,87,ee,a0,10,29,fc,5e,80,98,3d,07,3e,45,66,40,\
"rkeysecu"=hex:35,8b,48,80,7c,cc,7e,32,ab,b4,aa,49,da,0a,42,ee
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\ASUS Xonar Essence STX Audio\Customapp\ASUSAUDIOCENTER.EXE
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2012-02-08 16:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-08 21:07
ComboFix2.txt 2012-02-08 19:39
.
Pre-Run: 523,281,584,128 bytes free
Post-Run: 523,199,844,352 bytes free
.
- - End Of File - - 048EC2329C4317E43C55CF48E73E8D0A

#10
Elise
Posted 08 February 2012 - 04:18 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Hi, how are things running at this point?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#11
Bizong
Posted 08 February 2012 - 04:20 PM

    New Member

  • Members
  • Pip
  • 14 posts
The PING.EXE doesn't seem to be running anymore and i havent gotten that annoying pop-up. So things seem to be looking good.

I'll run this and get back with the log.

#12
Elise
Posted 08 February 2012 - 04:21 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
Good to hear that! I'll wait for the log. :)
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#13
Bizong
Posted 08 February 2012 - 04:30 PM

    New Member

  • Members
  • Pip
  • 14 posts
ComboFix 12-02-08.02 - Christian 02/08/2012 16:22:42.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.4520 [GMT -5:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
Command switches used :: c:\users\Christian\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-08 21:28 . 2012-02-08 21:28 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-02-08 21:28 . 2012-02-08 21:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-08 05:24 . 2012-02-08 05:24 -------- d-----w- c:\users\Christian\AppData\Local\BigHugeEngine
2012-02-08 05:22 . 2012-02-08 19:33 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-08 05:14 . 2012-02-08 05:14 -------- d-----w- c:\program files (x86)\EA Games
2012-02-07 21:45 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF312B06-E1F5-4F89-A0ED-C0E528BE8616}\mpengine.dll
2012-02-05 22:29 . 2012-02-06 01:46 -------- d-----w- c:\program files (x86)\World of Warcraft
2012-02-03 09:29 . 2012-02-03 09:29 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-03 09:29 . 2012-02-03 09:29 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-02 08:28 . 2012-02-02 09:03 -------- d-----w- c:\users\Christian\AppData\Roaming\DMCache
2012-02-02 08:28 . 2012-02-02 08:28 -------- d-----w- c:\program files (x86)\Internet Download Manager
2012-02-01 01:43 . 2012-02-08 07:36 -------- d-----w- c:\users\Christian\AppData\Local\Unity
2012-01-26 22:46 . 2012-01-26 23:36 -------- dc----w- c:\windows\system32\DRVSTORE
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\program files\Common Files\Apple
2012-01-25 01:55 . 2010-11-17 02:24 750440 ------w- c:\windows\system32\HPDiscoPM9311.dll
2012-01-25 01:55 . 2012-01-25 07:53 -------- d-----w- c:\programdata\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files (x86)\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files\HP
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\users\Christian\AppData\Local\BIT.TRIP RUNNER
2012-01-22 01:34 . 2012-01-22 01:34 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\program files (x86)\OpenAL
2012-01-18 22:50 . 2012-01-18 23:03 -------- d-----w- c:\users\Christian\.android
2012-01-18 22:50 . 2012-01-18 22:50 -------- d-----w- c:\program files (x86)\Android
2012-01-18 22:49 . 2012-02-08 21:03 -------- d-----w- c:\users\Christian\AppData\Local\Htc
2012-01-18 22:49 . 2012-01-18 22:49 -------- d-----w- c:\program files\Oracle
2012-01-18 22:49 . 2012-01-18 23:33 -------- d-----w- c:\users\Christian\AppData\Roaming\HTC
2012-01-18 22:47 . 2011-11-09 00:40 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-18 22:47 . 2011-11-09 00:40 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 22:47 . 2012-01-18 22:49 -------- d-----w- c:\program files\Java
2012-01-18 22:44 . 2012-01-18 23:22 -------- d-----w- C:\android
2012-01-18 22:16 . 2012-01-18 22:16 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-18 22:16 . 2012-01-18 22:49 -------- d-----w- c:\program files (x86)\HTC
2012-01-11 20:57 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 20:57 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 20:57 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 20:57 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 20:57 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-11 20:57 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 20:57 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 09:36 . 2012-02-02 21:12 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-11 09:36 . 2012-01-11 09:36 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-11 09:36 . 2012-01-11 09:36 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-11 09:36 . 2012-01-11 09:36 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 05:52 . 2010-02-16 11:13 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-02 08:12 . 2010-04-16 07:54 850152 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe
2011-12-10 20:24 . 2010-11-19 03:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:52 . 2011-12-15 01:16 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 19:03 . 2011-10-02 20:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-08_19.33.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-08 05:33 . 2012-02-08 20:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-02-08 05:33 . 2012-02-08 06:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-02-08 06:05 . 2012-02-08 20:07 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 06:05 . 2012-02-08 06:34 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 05:33 . 2012-02-08 06:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-02-08 05:33 . 2012-02-08 20:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-07-14 05:10 . 2012-02-08 21:05 27786 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-16 11:40 . 2012-02-08 21:05 18594 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1088636791-3136549013-2296628263-1001_UserData.bin
+ 2010-02-16 13:53 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 13:53 . 2012-02-08 19:33 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 11:27 . 2012-02-08 21:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-08 19:33 . 2012-02-08 19:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-08 21:02 . 2012-02-08 21:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-08 19:33 . 2012-02-08 19:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-08 21:02 . 2012-02-08 21:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 229376 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 704512 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:01 . 2012-02-08 21:01 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-08 19:32 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:31 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 01:45 . 2012-02-08 21:01 37393812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1088636791-3136549013-2296628263-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2011-06-01 1949088]
"Akamai NetSession Interface"="c:\users\Christian\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-01-24 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Razer Lachesis Driver"="c:\program files (x86)\Razer\Lachesis 5600\LachesisSysTray.exe" [2010-12-02 760720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"LUTManager"="c:\program files (x86)\LUT Manager\LUTManager.exe" [2008-02-06 319488]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files (x86)\Xfire\Xfire.exe [2012-2-3 3530136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2011-12-02 8704]
R3 ALSysIO;ALSysIO;c:\users\CHRIST~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz130;cpuz130;c:\users\CHRIST~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-08-15 130976]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 Gun;Gun;c:\windows\system32\Gun64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Christian\Documents\Real Temp\WinRing0x64.sys [2008-07-27 14544]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 cmudaxp;ASUS Xonar Essence STX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-30 8151040]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dlaudf_m
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{95E47232-8A90-465D-8DBF-E21C0421A46A}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\1tnvxjn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2747244&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.reddit.com/r/all
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088636791-3136549013-2296628263-1001\Software\SecuROM\License information*]
"datasecu"=hex:5e,09,26,c7,7e,c5,30,6a,59,a0,26,4a,9a,13,99,cd,8e,64,56,be,11,
f1,f8,59,a9,c2,a4,dd,c2,81,e9,87,ee,a0,10,29,fc,5e,80,98,3d,07,3e,45,66,40,\
"rkeysecu"=hex:35,8b,48,80,7c,cc,7e,32,ab,b4,aa,49,da,0a,42,ee
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-08 16:29:48
ComboFix-quarantined-files.txt 2012-02-08 21:29
ComboFix2.txt 2012-02-08 21:07
ComboFix3.txt 2012-02-08 19:39
.
Pre-Run: 523,252,580,352 bytes free
Post-Run: 523,189,723,136 bytes free
.
- - End Of File - - ABFB104226A13BBD19FCA5A8EFF5381D

#14
Elise
Posted 08 February 2012 - 04:33 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
That is looking good indeed. :)

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u2.
  • Look for "JDK 7u2 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


Please launch MBAM, update it and run a full scan. Post me the resulting log.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#15
Bizong
Posted 08 February 2012 - 04:50 PM

    New Member

  • Members
  • Pip
  • 14 posts
Ok, I've updated Java and am now running a Full Scan which will probably take a good 30mins or so. I'm running to the store for a bit, so I'll post the log when i get back.

I'd like to thank you again for your awesome work, I will browse the internet much safer from now on.

#16
Bizong
Posted 08 February 2012 - 11:17 PM

    New Member

  • Members
  • Pip
  • 14 posts
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.08.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Christian :: CHRISTIAN-PC [administrator]

Protection: Enabled

2/8/2012 4:47:01 PM
mbam-log-2012-02-08 (16-47-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 610393
Time elapsed: 58 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Qoobox\Quarantine\C\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\sp.Dll.vir (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Windows\assembly\temp\U\000000cf.@ (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

#17
Elise
Posted 09 February 2012 - 04:15 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
That looks good now! :) Lets do one last scan before calling it clean.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#18
Bizong
Posted 10 February 2012 - 03:43 PM

    New Member

  • Members
  • Pip
  • 14 posts
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.DN trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.G trojan cleaned by deleting - quarantined
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\1d5a503-38f7632c probably a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\71148de3-5f4b0c26 Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan cleaned by deleting - quarantined

#19
Elise
Posted 10 February 2012 - 04:06 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,720 posts
  • Gender:Female
  • Location:Romania
I see I forgot to remove one object here.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
NetSvc::
dlaudf_m
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image

#20
Bizong
Posted 10 February 2012 - 04:50 PM

    New Member

  • Members
  • Pip
  • 14 posts
ComboFix 12-02-08.02 - Christian 02/10/2012 16:43:07.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.3719 [GMT -5:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
Command switches used :: c:\users\Christian\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 21:49 . 2012-02-10 21:49 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-02-10 21:49 . 2012-02-10 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-10 10:15 . 2012-02-10 10:15 -------- d-----w- c:\program files (x86)\ESET
2012-02-08 21:45 . 2012-02-08 21:45 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-08 21:45 . 2012-02-08 21:45 637848 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-02-08 05:24 . 2012-02-08 05:24 -------- d-----w- c:\users\Christian\AppData\Local\BigHugeEngine
2012-02-08 05:22 . 2012-02-08 19:33 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-07 21:45 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF312B06-E1F5-4F89-A0ED-C0E528BE8616}\mpengine.dll
2012-02-05 22:29 . 2012-02-06 01:46 -------- d-----w- c:\program files (x86)\World of Warcraft
2012-02-03 09:29 . 2012-02-03 09:29 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-03 09:29 . 2012-02-03 09:29 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-02 08:28 . 2012-02-02 09:03 -------- d-----w- c:\users\Christian\AppData\Roaming\DMCache
2012-02-02 08:28 . 2012-02-02 08:28 -------- d-----w- c:\program files (x86)\Internet Download Manager
2012-02-01 01:43 . 2012-02-08 07:36 -------- d-----w- c:\users\Christian\AppData\Local\Unity
2012-01-26 22:46 . 2012-01-26 23:36 -------- dc----w- c:\windows\system32\DRVSTORE
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-26 22:46 . 2012-01-26 22:46 -------- d-----w- c:\program files\Common Files\Apple
2012-01-25 01:55 . 2010-11-17 02:24 750440 ------w- c:\windows\system32\HPDiscoPM9311.dll
2012-01-25 01:55 . 2012-01-25 07:53 -------- d-----w- c:\programdata\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files (x86)\HP
2012-01-25 01:55 . 2012-01-25 01:55 -------- d-----w- c:\program files\HP
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\users\Christian\AppData\Local\BIT.TRIP RUNNER
2012-01-22 01:34 . 2012-01-22 01:34 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-01-22 01:34 . 2012-01-22 01:34 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-01-22 01:34 . 2012-01-22 01:34 -------- d-----w- c:\program files (x86)\OpenAL
2012-01-18 22:50 . 2012-01-18 23:03 -------- d-----w- c:\users\Christian\.android
2012-01-18 22:50 . 2012-01-18 22:50 -------- d-----w- c:\program files (x86)\Android
2012-01-18 22:49 . 2012-02-10 10:06 -------- d-----w- c:\users\Christian\AppData\Local\Htc
2012-01-18 22:49 . 2012-01-18 23:33 -------- d-----w- c:\users\Christian\AppData\Roaming\HTC
2012-01-18 22:47 . 2011-11-09 00:40 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-01-18 22:47 . 2011-11-09 00:40 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-18 22:44 . 2012-01-18 23:22 -------- d-----w- C:\android
2012-01-18 22:16 . 2012-01-18 22:16 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-18 22:16 . 2012-01-18 22:49 -------- d-----w- c:\program files (x86)\HTC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 21:45 . 2010-05-20 00:05 567184 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-27 05:52 . 2010-02-16 11:13 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-02 08:12 . 2010-04-16 07:54 850152 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe
2011-12-10 20:24 . 2010-11-19 03:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:52 . 2011-12-15 01:16 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:58 . 2012-01-11 20:57 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-11 20:57 67072 ----a-w- c:\windows\SysWow64\packager.dll
2011-11-17 06:41 . 2012-01-11 20:57 1731920 ----a-w- c:\windows\system32\ntdll.dll
2011-11-17 05:38 . 2012-01-11 20:57 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-11-13 19:03 . 2011-10-02 20:47 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-08_19.33.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-02-08 05:33 . 2012-02-08 06:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-02-08 05:33 . 2012-02-08 20:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-02-08 06:05 . 2012-02-08 20:07 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 06:05 . 2012-02-08 06:34 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012020820120209\index.dat
- 2012-02-08 05:33 . 2012-02-08 06:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-02-08 05:33 . 2012-02-08 20:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-02-16 11:56 . 2012-02-10 10:08 55936 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-10 10:08 27842 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-16 11:40 . 2012-02-10 10:08 18610 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1088636791-3136549013-2296628263-1001_UserData.bin
+ 2010-02-16 13:53 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 13:53 . 2012-02-08 19:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 13:53 . 2012-02-08 19:33 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-08 19:33 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 11:27 . 2012-02-10 10:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-10 10:07 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-10 10:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-16 11:27 . 2012-02-10 21:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-16 11:27 . 2012-02-10 21:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-16 11:27 . 2012-02-08 19:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-08 19:33 . 2012-02-08 19:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-10 10:05 . 2012-02-10 10:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-10 10:05 . 2012-02-10 10:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-08 19:33 . 2012-02-08 19:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-08 21:45 . 2012-02-08 21:45 223112 c:\windows\SysWOW64\javaws.exe
+ 2012-02-08 21:45 . 2012-02-08 21:45 173960 c:\windows\SysWOW64\javaw.exe
+ 2012-02-08 21:45 . 2012-02-08 21:45 173960 c:\windows\SysWOW64\java.exe
+ 2009-07-14 04:54 . 2012-02-08 20:59 229376 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-08 20:59 704512 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:01 . 2012-02-09 18:39 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-08 19:32 485316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-08 21:45 . 2012-02-08 21:45 179200 c:\windows\Installer\27374.msi
+ 2012-02-08 21:44 . 2012-02-08 21:44 941568 c:\windows\Installer\2736d.msi
+ 2009-07-14 04:54 . 2012-02-08 20:59 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-08 19:31 4980736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 01:45 . 2012-02-09 18:39 37393812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1088636791-3136549013-2296628263-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2011-06-01 1949088]
"Akamai NetSession Interface"="c:\users\Christian\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-01-24 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-06-05 1310720]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Razer Lachesis Driver"="c:\program files (x86)\Razer\Lachesis 5600\LachesisSysTray.exe" [2010-12-02 760720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"LUTManager"="c:\program files (x86)\LUT Manager\LUTManager.exe" [2008-02-06 319488]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
.
c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files (x86)\Xfire\Xfire.exe [2012-2-3 3530136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2011-12-02 8704]
R3 ALSysIO;ALSysIO;c:\users\CHRIST~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cpuz130;cpuz130;c:\users\CHRIST~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-08-15 130976]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 Gun;Gun;c:\windows\system32\Gun64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Christian\Documents\Real Temp\WinRing0x64.sys [2008-07-27 14544]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-09-22 2253120]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 cmudaxp;ASUS Xonar Essence STX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-15 02:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-30 8151040]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dlaudf_m
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{95E47232-8A90-465D-8DBF-E21C0421A46A}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\1tnvxjn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2747244&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.reddit.com/r/all
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
AddRemove-Wurm Online 3.0.1 [unstable] - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1088636791-3136549013-2296628263-1001\Software\SecuROM\License information*]
"datasecu"=hex:5e,09,26,c7,7e,c5,30,6a,59,a0,26,4a,9a,13,99,cd,8e,64,56,be,11,
f1,f8,59,a9,c2,a4,dd,c2,81,e9,87,ee,a0,10,29,fc,5e,80,98,3d,07,3e,45,66,40,\
"rkeysecu"=hex:35,8b,48,80,7c,cc,7e,32,ab,b4,aa,49,da,0a,42,ee
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-10 16:49:58
ComboFix-quarantined-files.txt 2012-02-10 21:49
ComboFix2.txt 2012-02-08 21:29
ComboFix3.txt 2012-02-08 21:07
ComboFix4.txt 2012-02-08 19:39
.
Pre-Run: 531,449,970,688 bytes free
Post-Run: 531,395,969,024 bytes free
.
- - End Of File - - D413016CD6A633CDC0317EDC4B8F4F9C
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us