Security Essentials remains green. Avast has very infrequent popups saying it has blocked a malicious site.
Trojan.Agent infection [Solved]
Started by
jkabat
, Mar 14 2013 07:37 AM
#31
Posted 20 March 2013 - 05:10 AM
Security Essentials remains green. Avast has very infrequent popups saying it has blocked a malicious site.
#32
Posted 20 March 2013 - 05:10 AM
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.20.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jessie :: JESSIE-PC [administrator]
3/20/2013 6:49:16 AM
mbam-log-2013-03-20 (06-49-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227995
Time elapsed: 8 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
www.malwarebytes.org
Database version: v2013.03.20.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jessie :: JESSIE-PC [administrator]
3/20/2013 6:49:16 AM
mbam-log-2013-03-20 (06-49-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227995
Time elapsed: 8 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
#33
Posted 20 March 2013 - 05:19 AM
Malwarebytes found one file on your system and I don't think it can remove it by himself. We need to remove it manually.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\\ComboFix.txt which I will require in your next reply.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Rootkit::
C:\Windows\svchost.exe
File::
C:\Windows\svchost.exe
Folder::
Registry::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\\ComboFix.txt which I will require in your next reply.
#34
Posted 20 March 2013 - 05:56 AM
Task completed. Log in next post.
#35
Posted 20 March 2013 - 05:56 AM
ComboFix 13-03-20.01 - Jessie 03/20/2013 7:27.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3687.2500 [GMT -4:00]
Running from: c:\users\Jessie\Desktop\ComboFix.exe
Command switches used :: c:\users\Jessie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\svchost.exe"
.
.
((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
.
.
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-03-20 11:01 . 2013-03-20 11:01 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C52080FF-C318-4387-B394-CB1E50E95591}\offreg.dll
2013-03-19 13:01 . 2013-03-19 13:01 208216 ----a-w- c:\windows\system32\drivers\81590765.sys
2013-03-19 12:10 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C52080FF-C318-4387-B394-CB1E50E95591}\mpengine.dll
2013-03-19 11:59 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-16 03:10 . 2013-03-06 22:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-16 03:10 . 2013-03-06 22:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-16 03:10 . 2013-03-06 22:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-16 03:10 . 2013-03-06 22:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-16 03:10 . 2013-03-06 22:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-16 03:10 . 2013-03-06 22:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-16 03:10 . 2013-03-06 22:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-16 03:10 . 2013-03-06 22:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-16 03:10 . 2013-03-06 22:32 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-16 03:09 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
2013-03-16 03:08 . 2013-03-16 03:08 -------- d-----w- c:\program files\AVAST Software
2013-03-16 03:07 . 2013-03-16 03:08 -------- d-----w- c:\programdata\AVAST Software
2013-03-13 22:10 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-13 12:49 . 2013-03-13 12:49 -------- d-----w- C:\bab0277241d68e0d82426f
2013-03-12 20:27 . 2012-11-28 19:26 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6671647A-D593-488C-A849-D3C86E0F9E6F}\gapaengine.dll
2013-02-28 02:42 . 2013-01-13 20:08 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-02-27 13:39 . 2013-02-27 13:39 -------- d-----w- c:\windows\Temp82CDD929-2E6E-2530-5D64-35AA60D79BF9-Signatures
2013-02-27 13:38 . 2013-02-27 13:38 -------- d-----w- C:\92727f19c0eaaa9427c34e
2013-02-24 14:40 . 2013-02-24 14:40 -------- d-----w- c:\users\Jessie\AppData\Local\Programs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 21:03 . 2012-11-25 22:05 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-12 21:03 . 2011-11-24 03:13 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-12 05:45 . 2013-03-13 13:03 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 13:03 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 13:03 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 13:03 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 13:03 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 13:03 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-30 10:53 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 20:59 . 2013-01-20 20:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 20:59 . 2011-04-27 22:25 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:53 . 2013-02-13 13:29 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-13 13:29 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 13:29 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-13 13:29 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-13 13:29 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-13 13:29 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-13 13:29 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-13 13:29 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-13 13:29 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-13 13:29 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-13 13:29 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-13 13:29 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-13 13:29 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-01-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 82506647;82506647; [x]
R3 aswVmm;aswVmm; [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-09 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 aswRvrt;aswRvrt; [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2011-03-24 36992]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-30 14784]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-06-08 204288]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2011-07-28 313448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-05-17 533096]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-04-13 1143912]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-13 02:26 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-25 21:03]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-19 09:12]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-19 09:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-29 11905128]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page =
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/LGUplus_XMPI_20110503.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxps://mpi.dacom.net/XPayMPI/XPayMPI.cab
DPF: {7C98E005-7DA3-4C02-8D9F-FAA9C4D1C343} - hxxp://service.ewha.ac.kr:88/web_kiosk_061100/ReportX/ictReportX.cab
DPF: {AC2CE4A7-75CE-4B11-B245-CE697861C3C1} - hxxp://ems.shinhanlife.co.kr/automail/initech/mail_pki/downn/INISAFEMailv4.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles_new/KVPISPCTLD_VISTA64.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-25690091.sys
SafeBoot-73252458.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-20 07:45:12
ComboFix-quarantined-files.txt 2013-03-20 11:45
ComboFix2.txt 2013-03-19 11:53
.
Pre-Run: 248,535,351,296 bytes free
Post-Run: 248,122,331,136 bytes free
.
- - End Of File - - 7E0EC0796601039367CD1A144695C7A9
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3687.2500 [GMT -4:00]
Running from: c:\users\Jessie\Desktop\ComboFix.exe
Command switches used :: c:\users\Jessie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\svchost.exe"
.
.
((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
.
.
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-20 11:40 . 2013-03-20 11:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-03-20 11:01 . 2013-03-20 11:01 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C52080FF-C318-4387-B394-CB1E50E95591}\offreg.dll
2013-03-19 13:01 . 2013-03-19 13:01 208216 ----a-w- c:\windows\system32\drivers\81590765.sys
2013-03-19 12:10 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C52080FF-C318-4387-B394-CB1E50E95591}\mpengine.dll
2013-03-19 11:59 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-16 03:10 . 2013-03-06 22:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-16 03:10 . 2013-03-06 22:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-16 03:10 . 2013-03-06 22:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-16 03:10 . 2013-03-06 22:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-16 03:10 . 2013-03-06 22:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-16 03:10 . 2013-03-06 22:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-16 03:10 . 2013-03-06 22:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-16 03:10 . 2013-03-06 22:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-16 03:10 . 2013-03-06 22:32 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-16 03:09 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
2013-03-16 03:08 . 2013-03-16 03:08 -------- d-----w- c:\program files\AVAST Software
2013-03-16 03:07 . 2013-03-16 03:08 -------- d-----w- c:\programdata\AVAST Software
2013-03-13 22:10 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-13 12:49 . 2013-03-13 12:49 -------- d-----w- C:\bab0277241d68e0d82426f
2013-03-12 20:27 . 2012-11-28 19:26 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6671647A-D593-488C-A849-D3C86E0F9E6F}\gapaengine.dll
2013-02-28 02:42 . 2013-01-13 20:08 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-02-27 13:39 . 2013-02-27 13:39 -------- d-----w- c:\windows\Temp82CDD929-2E6E-2530-5D64-35AA60D79BF9-Signatures
2013-02-27 13:38 . 2013-02-27 13:38 -------- d-----w- C:\92727f19c0eaaa9427c34e
2013-02-24 14:40 . 2013-02-24 14:40 -------- d-----w- c:\users\Jessie\AppData\Local\Programs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 21:03 . 2012-11-25 22:05 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-12 21:03 . 2011-11-24 03:13 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-12 05:45 . 2013-03-13 13:03 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 13:03 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 13:03 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 13:03 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 13:03 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 13:03 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-30 10:53 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 20:59 . 2013-01-20 20:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 20:59 . 2011-04-27 22:25 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:53 . 2013-02-13 13:29 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-13 13:29 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 13:29 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-13 13:29 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-13 13:29 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-13 13:29 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-13 13:29 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-13 13:29 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-13 13:29 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-13 13:29 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-13 13:29 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-13 13:29 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-13 13:29 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-01-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 82506647;82506647; [x]
R3 aswVmm;aswVmm; [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-09 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 aswRvrt;aswRvrt; [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2011-03-24 36992]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-30 14784]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-06-08 204288]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys [2011-07-28 313448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-05-17 533096]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-04-13 1143912]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-13 02:26 1629648 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-25 21:03]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-19 09:12]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-19 09:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-29 11905128]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page =
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/LGUplus_XMPI_20110503.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxps://mpi.dacom.net/XPayMPI/XPayMPI.cab
DPF: {7C98E005-7DA3-4C02-8D9F-FAA9C4D1C343} - hxxp://service.ewha.ac.kr:88/web_kiosk_061100/ReportX/ictReportX.cab
DPF: {AC2CE4A7-75CE-4B11-B245-CE697861C3C1} - hxxp://ems.shinhanlife.co.kr/automail/initech/mail_pki/downn/INISAFEMailv4.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles_new/KVPISPCTLD_VISTA64.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-25690091.sys
SafeBoot-73252458.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-20 07:45:12
ComboFix-quarantined-files.txt 2013-03-20 11:45
ComboFix2.txt 2013-03-19 11:53
.
Pre-Run: 248,535,351,296 bytes free
Post-Run: 248,122,331,136 bytes free
.
- - End Of File - - 7E0EC0796601039367CD1A144695C7A9
#36
Posted 20 March 2013 - 07:20 AM
Combofix looks good now too. DO you get any AVAST notifications now.
If you do can you please see what site and what process it blocks and let me know.
If you do can you please see what site and what process it blocks and let me know.
#37
Posted 20 March 2013 - 07:35 AM
Maliprog,
Thank you. I am not getting any Avast notifications now.
Thank you. I am not getting any Avast notifications now.
#38
Posted 21 March 2013 - 12:07 AM
Hi jkabat,
Your logs and system are clean now. I'm glad we fix up your computer.
Please un-install AVAST now because you only need one active protection on your system. You don't need AVAST now.
Step 1
Please close all running programs and Run OTL
We need to clean up your PC from programs we used.
Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.
In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).
General recommendations
Here are some recommendations you should follow to minimize infection risk in the future:
1. Something to read
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
2. Make Backups of Important Files
Please read this article Home Computer Data Backup.
3. Regularly update your software
To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.
You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
Your logs and system are clean now. I'm glad we fix up your computer.
Please un-install AVAST now because you only need one active protection on your system. You don't need AVAST now.
Step 1
Please close all running programs and Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
:Commands
[purity]
[emptytemp]
[resethosts]
[clearallrestorepoints]
[Reboot] - Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
We need to clean up your PC from programs we used.
Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.
In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).
General recommendations
Here are some recommendations you should follow to minimize infection risk in the future:
1. Something to read
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
2. Make Backups of Important Files
Please read this article Home Computer Data Backup.
3. Regularly update your software
To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.
You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
#39
Posted 21 March 2013 - 01:26 PM
Thank you very much for all your help. It is appreciated.
#40
Posted 21 March 2013 - 11:58 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users