• Content count

  • Joined

  • Last visited

About ausgumbie

  • Rank
    New Member
  1. Hi all Just came across the thread below (Not sure if what's now displaying was meant to happen - I just pasted the url and ... ). Anyhow, thought I'd start a new thread rather than tag onto the previous. My experience seems similar to the other thread's OP. I was researching an apparently innocuous topic (ancient Greek roads in Attica). I started exploring links from a page (A GIS-BASED STUDY OF ATTICA) on the website. The further pages I tried to access, I assume, were all in that website. MBAM threw up a number of Malicious Website Blocked alerts. I checked these and found only one IP address* referenced (* although there were a number of blocks. I checked that address (on Central Ops net). That didn't enlighten me. Then, possibly like thais, I googled the address. This produced many links, one of which was "The Anti Hacker Alliance fights against". I clicked on this link, and first came to (I've left off the http bit deliberately) "//". That page seemed to load successfully, but then it suddenly 'flipped' to a page "//". At this point I think MBAM again threw up a couple of popups announcing further blockages. (On VirusTotal, Yandex Safebrowsing called the "Anti Hacker Alliance" a Malware site. The "Validome" url had no bad reports). The flip to the "Validome" page worried me as further googling didn't seem to establish a connection between "The Anti Hacker Alliance" and "Validome" so I don't know if this was a valid redirection. I'll attach a (composite) screenshot of the "Validome" page below. I gather MBAM thought loading the "Validome" page was an attempt to access the malicious site. I looked at the protection log again (an MBAM threat scan had been running at the time) and noted there were 3 "outbounds". There had been 2 when I first checked after noting the alert popups, but I subsaequently re-launched the "Validome" page from Firefox memory to get the screenshots. I've kept the Threatlog and Protection Log if they're needed. Help appreciated ausgumbie
  2. Hi all This has been pointed up in other places but it probably doesn't hurt in the retelling for any upgrading to Windows 10. I received this from staysmartonline (Aust. Govt.) to which I subscribe: "Fake Windows 10 update leading to ransomware attack: Alert Priority High Ransomware disguised as an installer of the new Microsoft Windows 10 operating system is encrypting Australian user and business computers. The ransomware resides in an email that claims to be from Microsoft which offers a free upgrade to Windows 10. The email contains a zip file attachment, which contains a program labelled as the Windows 10 installer. However, if you run this program, it will encrypt any important files, including Word documents and photos on your computer. If you receive an email offering a free upgrade to Windows 10, we advise that you delete the email and do not open it or any attachments. Windows users interested in upgrading their computer can register via Microsoft’s official website. Windows 10 updates will then be facilitated by a program on your computer, not via an email offer." And so on. The word is certainly out there although some (like me) twig to it a bit slower than others. This post is for them. See, e.g.: Cheers ausgumbie
  3. Thanks William Good to be back. Cheers ausgumbie
  4. I just thought I’d post the following anecdote in case others are having similar experiences. The effective procedure in my case was to go away and have another go later. I had received Marcin Kleczynski's email (in November) about the need to force a change of forum members’ passwords due to a hack. I went online to check that this email had been bona-fide (and, of course, found I wasn't the only one doing this). However, I didn't change my own password at that point. (I maybe should have!). But, all this was promptly forgotten among the distractions of Christmas. So, when I tried to log in to the Forums Dec. 30, about midday, local* (*Brisbane, Aust.) time, I found I couldn't. After a few attempts and getting the message that my account would be ‘locked for 12 minutes’, the penny finally dropped. I then went through the ‘forgot my password’ routine, first using my email address, and again a little later using my login. On neither try did an email come instantly (as the automatic message had suggested was ‘usual’) or within the 10 minute timeframe likewise suggested. I wasn’t sure whether this is an issue of 'communication delayed' (by whatever) or just no communication at all. The time of year had to be some sort of factor and there was no need to imagine anything more sinister. As to what was (presumably) out there yelling: ‘Aaaaagh, I can’t do this!!!’ my imagination was spoiled for choice: the Forums’ software, the internet, my IP, Hotmail, Outlook, Firefox ...? So, nothing else coming to mind, I made an online submission [Dec. 30, 06:43 PM Brisbane, Australia] via a ‘Consumer Support Form’ on, explaining my situation and asking if my message could be passed on somehow to a moderator in the forums area. Today, about 09:30 AM Brisbane time, and feeling lucky, I gave the ‘forgot password’ routine yet another go. I made ‘captcha’ do its audio thing this time and, after successfully submitting and a few minutes’ wait, hit Outlook’s ‘Send-Receive All Folders’. To my relief, the hoped-for email appeared this time and I was able to change my password painlessly, and – self-evidently – I’m able to access the Forums again. Cheers and Happy New Year, ausgumbie.
  5. No issues with the computer in general and I'll start on the cleanup below. However, over the last two days, I've noticed that it takes an inordinately long time to connect with the Malwarebytes forum, and of course this thread. (Obviously, this page has loaded now). I've also been trying to get into the message area and it just isn't loading. (i.e., the loading circle on the Firefox tab has going round and round for ages but no page.) This isn't happening with other internet connections - or the main Malwarebytes site - just the Forum site and any pages connected with it. What I'll do, unless this rings bells with you and you want to look at it here, is keep going with the cleanup as above for the issue we've been dealing with here, and maybe start a new thread with the issue of Forum "slow-loading" in case others are experiencing it. Cheers Howard / ausgumbie
  6. Hi Ron I gather you don't need me to do another "FRST scan log" with the DeQuarantine having worked? If not, then everything seems fine otherwise at my end. I'd just again add my sincere thanks for your help with this. Aside from fixing a problem, it's taught me a heck of a lot and so I do indeed value the time you've spent with me here! All the best, Howard
  7. Hi Ron I responded to your post above before reading your P.M., but fingers crossed, I've done things right this time. I dragged the CFScript.txt over Combofix (this time offline) and Combofix ran only for a very short time and produced the report below. I've checked the locations referred to in the report and the three files are, yep, now back in the "C:\Program Files (x86)\SecureW2" location with the "SecureW2\Uninstall.lnk" likewise on the "Start" programs. If this is OK so far, will I now move on to the process in your P.M.? Thanks Howard DeQuarantine.txt
  8. OK - I'll give it another go. Cheers H.
  9. Quick addition (image) - "files still in quarantine" - cheers, H.
  10. Hi Ron Many thanks. Have just run Combofix with CFScript.txt. Just a couple of things: (1) I dragged-and dropped the script file onto Combofix and ran Combofix; BUT (2) Combofix then asked "did I want a more recent version" which I allowed (not being confident to deny it) and just let the scan proceed. I mention this as I don't know whether the update might have overwritten your script wholly or partly. I haven't repeated the drag-and-drop and re-run Combofix so the log file I attach is from the one scan. Hope I've done right cheers Howard ComboFix.txt
  11. Thanks Ron Attached (I hope) C:\Qoobox\ComboFix-quarantined-files.txt. Cheers Howard / augumbie ComboFix-quarantined-files.txt
  12. Hi again Well, eduroam works too. I suppose the only two ways I can find out if they need to be restored is (a) research online or (b) ask the uni IT helpdesk. The second option may not be as profitable as you might think. I've no idea as to the credentials of the staff there many of whom could be students earning a bit of pocket money for all I know. But they're two options. My immediate suspicion is, from the names of a couple, that one or two at least - maybe all - have to do with uninstalling eduroam, a function I'd certainly not want to remove. So - keep or remove? Would you mind if I checked this a bit further and then decided? One thing I'd ask you is, could they be false positives? Or from your experience, does ComboFix usually tend to zero in on malicious files? Cheers Howard / ausgumbie
  13. Hi again! Just been doing a bit of checking in-between essay-writing and thus a bit slow getting back, sorry. The "sw" bit doesn't seem to have anything to do with Sierra Wireless, that was just me jumping to conclusions. The "sw" seems to refer to "SecureW2" (Gee, I'm quick ) which is linked to (among other things) eduroam. Now, eduroam is the wifi that my university uses, but I won't know whether mine's working till I'm back at uni next week. I was interested to see the same group of files turn up with a number of folks online using Combofix, e.g. (I CTRL+f searched the web pages with with "c:\program files (x86)\SecureW2\sw2_res_default.bmp"). So Combofix evidently doesn't like this group. Anyhow, if you'll bear with me, Ron, it'll be a few days but when I go out Wednesday I'll certainly be trying it out and I'll let you know how it went. Cheers and thanks for this - it is appreciated! Howard / ausbumbie
  14. Hi Ron Things seem OK. The laptop is online - it just couldn't connect immediately after the scan, but as per the directions, I rebooted it and got back online. I'm typing this from it now. I've been online quite a bit since my last post (with the scan). (I tend to not stay on long - I get lots of those MBAM popups telling me a malicious site has just been blocked). I don't know if those files you list need to be restored I'm afraid. I ran Windows Network Diagnostics (not really knowing what good it is) and it said no problem detected. I'll need to check things like my IPs online account site to be sure my usage is showing etc - the files you refer to (apart from the bitmap) look as though they have to do with processing usage maybe or modem security. I'll check. Meanwhile, the computer does seem faster and it does seem easier to get online. Cheers Howard / ausgumbie
  15. (Loved the spelling errors in my last post! ) OK, ComboFix 14-10-02.01 Log: ComboFix 14-10-02.01 - HOWARD02 03/10/2014 19:42:17.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.4066.2272 [GMT 10:00] Running from: c:\users\HOWARD02\Desktop\ComboFix.exe AV: Norton 360 Premier Edition *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB} FW: Norton 360 Premier Edition *Disabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0} SP: Norton 360 Premier Edition *Disabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files (x86)\SecureW2 c:\program files (x86)\SecureW2\sw2_res_default.bmp c:\program files (x86)\SecureW2\sw2_rsaproxy.exe c:\program files (x86)\SecureW2\sw2_tray.exe c:\program files (x86)\SecureW2\Uninstall.exe c:\users\HOWARD02\AppData\Roaming\.# c:\users\HOWARD02\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SecureW2 c:\users\HOWARD02\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SecureW2\Uninstall.lnk . . ((((((((((((((((((((((((( Files Created from 2014-09-03 to 2014-10-03 ))))))))))))))))))))))))))))))) . . 2014-10-03 09:53 . 2014-10-03 09:53 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-10-02 00:25 . 2014-10-02 05:45 -------- d-----w- c:\windows\system32\drivers\N360x64\1506000.020 2014-09-30 21:53 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll 2014-09-30 21:53 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll 2014-09-27 07:57 . 2014-09-28 05:20 -------- d-----w- C:\FRST 2014-09-27 05:41 . 2010-08-29 22:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll 2014-09-27 05:40 . 2014-09-27 06:15 -------- d-----w- C:\AdwCleaner 2014-09-27 05:19 . 2014-09-27 05:19 -------- d-----w- c:\windows\ERUNT 2014-09-26 03:21 . 2014-09-26 11:57 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2014-09-26 03:20 . 2014-09-26 03:21 -------- d-----w- c:\programdata\RogueKiller 2014-09-26 02:41 . 2014-09-26 02:41 -------- d-----w- c:\program files (x86)\ERUNT 2014-09-25 13:00 . 2014-09-26 01:55 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable) 2014-09-23 21:00 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll 2014-09-23 21:00 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2014-09-10 17:07 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll 2014-09-10 17:07 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll 2014-09-10 10:12 . 2014-08-01 11:53 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll 2014-09-10 10:12 . 2014-08-01 11:35 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll 2014-09-10 10:11 . 2014-06-24 03:29 2565120 ----a-w- c:\windows\system32\d3d10warp.dll 2014-09-10 10:11 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll 2014-09-10 10:09 . 2014-07-07 02:06 728064 ----a-w- c:\windows\system32\kerberos.dll 2014-09-10 10:09 . 2014-07-07 02:06 1460736 ----a-w- c:\windows\system32\lsasrv.dll 2014-09-10 10:09 . 2014-07-07 01:40 550912 ----a-w- c:\windows\SysWow64\kerberos.dll 2014-09-10 10:09 . 2014-07-07 01:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2014-09-10 10:09 . 2014-07-07 01:39 96768 ----a-w- c:\windows\SysWow64\sspicli.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-10-03 08:39 . 2014-04-03 00:04 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-09-26 10:16 . 2014-04-03 00:01 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-09-23 21:18 . 2012-07-06 05:15 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2014-09-23 21:18 . 2012-07-06 05:15 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2014-09-10 17:09 . 2012-07-06 02:05 101694776 ----a-w- c:\windows\system32\MRT.exe 2014-08-23 02:07 . 2014-08-27 22:43 404480 ----a-w- c:\windows\system32\gdi32.dll 2014-08-23 01:45 . 2014-08-27 22:43 311808 ----a-w- c:\windows\SysWow64\gdi32.dll 2014-08-23 00:59 . 2014-08-27 22:43 3163648 ----a-w- c:\windows\system32\win32k.sys 2014-07-24 16:35 . 2014-07-24 16:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll 2014-07-24 13:47 . 2014-07-24 13:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll 2014-07-14 02:02 . 2014-08-12 23:18 1216000 ----a-w- c:\windows\system32\rpcrt4.dll 2014-07-14 01:40 . 2014-08-12 23:18 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll 2014-07-09 02:03 . 2014-08-12 23:19 7168 ----a-w- c:\windows\system32\KBDYAK.DLL 2014-07-09 02:03 . 2014-08-12 23:19 7168 ----a-w- c:\windows\system32\KBDTAT.DLL 2014-07-09 02:03 . 2014-08-12 23:19 7168 ----a-w- c:\windows\system32\KBDRU1.DLL 2014-07-09 02:03 . 2014-08-12 23:19 6656 ----a-w- c:\windows\system32\KBDRU.DLL 2014-07-09 02:03 . 2014-08-12 23:19 7168 ----a-w- c:\windows\system32\KBDBASH.DLL 2014-07-09 01:31 . 2014-08-12 23:19 7168 ----a-w- c:\windows\SysWow64\KBDYAK.DLL 2014-07-09 01:31 . 2014-08-12 23:19 6656 ----a-w- c:\windows\SysWow64\KBDBASH.DLL . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "BigPondWirelessBroadbandCM"="c:\program files (x86)\Telstra\BigPond Wireless Broadband\TelstraUCM.exe" [2011-09-13 6199192] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\08655416.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\10953125.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\14010581.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\17651177.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\25695264.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\26162140.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\26897127.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\29851257.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30307646.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30394823.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\38058456.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\39275762.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\45649427.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\47954909.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\54225583.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\55190920.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\58486850.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\61670189.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\62918834.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\63312144.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\71109507.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\89623075.sys] @="Driver" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x] R3 FsUsbExDisk;FsUsbExDisk;c:\windows\SysWOW64\FsUsbExDisk.SYS;c:\windows\SysWOW64\FsUsbExDisk.SYS [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x] R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys;c:\windows\SYSNATIVE\drivers\massfilter.sys [x] R3 massfilter_lte;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_lte.sys;c:\windows\SYSNATIVE\drivers\massfilter_lte.sys [x] R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x] R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys;c:\windows\SYSNATIVE\DRIVERS\swumxa3.sys [x] R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x] R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMDS64.SYS [x] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMEFA64.SYS [x] S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton 360\NortonData\\Definitions\BASHDefs\20140912.003\BHDrvx64.sys;c:\program files (x86)\Norton 360\NortonData\\Definitions\BASHDefs\20140912.003\BHDrvx64.sys [x] S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\ccSetx64.sys [x] S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DE07060.00F\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NSTx64\7DE07060.00F\ccSetx64.sys [x] S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton 360\NortonData\\Definitions\IPSDefs\20141002.001\IDSvia64.sys;c:\program files (x86)\Norton 360\NortonData\\Definitions\IPSDefs\20141002.001\IDSvia64.sys [x] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\Ironx64.SYS [x] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1506000.020\SYMNETS.SYS [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x] S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x] S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\\N360.exe;c:\program files (x86)\Norton 360\Engine\\N360.exe [x] S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2014.7.6.15\NST.exe;c:\program files (x86)\Norton Identity Safe\Engine\2014.7.6.15\NST.exe [x] S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe service [x] S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\\SymcPCCULaunchSvc.exe;c:\program files (x86)\Norton PC Checkup\Engine\\SymcPCCULaunchSvc.exe [x] S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe [x] S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [x] S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x] S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x] S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x] S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x] S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys;c:\windows\SYSNATIVE\DRIVERS\QIOMem.sys [x] S3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x] S3 SmbDrv;SmbDrv;c:\windows\system32\DRIVERS\Smb_driver.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver.sys [x] S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys;c:\windows\SYSNATIVE\DRIVERS\swg3kser00.sys [x] S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx64.sys;c:\windows\SYSNATIVE\DRIVERS\swiwdmbx64.sys [x] S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys;c:\windows\SYSNATIVE\DRIVERS\swnc8ua3.sys [x] S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x] S4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMSWISSARMY . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2014-09-24 23:46 1096520 ----a-w- c:\program files (x86)\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2014-10-02 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2014-10-03 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-11-26 710560] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mStart Page = hxxp:// mLocal Page = c:\windows\SysWOW64\blank.htm IE: Add to TOSHIBA Bulletin Board - c:\program files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000 IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = FF - ProfilePath - c:\users\HOWARD02\AppData\Roaming\Mozilla\Firefox\Profiles\pmard9hv.default\ FF - prefs.js: browser.startup.homepage - about:home|file:///c:/users/howard02/desktop/desktop_dwellers/browser_home/reconnect%20to%20i%27net.htm . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-SecureW2 Tray - c:\program files (x86)\SecureW2\sw2_tray.exe HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE AddRemove-SecureW2 Enterprise Client - c:\program files (x86)\SecureW2\Uninstall.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360] "ImagePath"="\"c:\program files (x86)\Norton 360\Engine\\N360.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\\diMaster.dll\" /prefetch:1" -- . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NCO] "ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2014.7.6.15\NST.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2014.7.6.15\diMaster.dll\" /prefetch:1" -- . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr] "ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\\diMaster.dll\" /prefetch:1" Binary file temp00 matches "ImagePath"="\SystemRoot\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS" "TrustedImagePaths"="c:\program files (x86)\Norton 360\Engine\;c:\program files (x86)\Norton 360\Engine64\" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.15" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" "Key"="ActionsPane3" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2014-10-03 20:06:20 ComboFix-quarantined-files.txt 2014-10-03 10:06 . Pre-Run: 231,061,016,576 bytes free Post-Run: 230,754,734,080 bytes free . - - End Of File - - E01945DFC015CF709498F97F7033195D