Virustotal says uphclean.exe and MBR.dat are clean. I forgot to tell you that aswMBR found something on my computer and the fix button came up and so I clicked on fix. Then it asked me to reboot and so I scanned again after and that it created a MBR.dat . Then fixMBR came up but I didn't click on that I just saved the log. I believe Locky and 5AHSH54OwLwn is part of BDAntiRansomware.
Hum , are FlashBroker, IFlashBroker6 and RAIDTest Trojans or Viruses ?
VirusTotal
SHA256: 0e9f08fdf2032a7ebe883ce2c7aef3dc4ce622c2e6f4bebeafa24acf93669c99
File name: uphclean.exe
Detection ratio: 0 / 53
Analysis date: 2016-08-01 03:48:54 UTC ( 0 minutes ago )
19
7
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Analysis
File detail
Relationships
Additional information
Comments
Votes
Antivirus Result Update
ALYac 20160731
AVG 20160801
AVware 20160801
Ad-Aware 20160801
AegisLab 20160801
AhnLab-V3 20160731
Alibaba 20160730
Antiy-AVL 20160801
Arcabit 20160731
Avast 20160801
Avira (no cloud) 20160731
Baidu 20160730
BitDefender 20160801
Bkav 20160727
CAT-QuickHeal 20160730
CMC 20160728
ClamAV 20160801
Comodo 20160801
Cyren 20160801
DrWeb 20160801
ESET-NOD32 20160731
Emsisoft 20160801
F-Prot 20160801
F-Secure 20160801
Fortinet 20160801
GData 20160801
Ikarus 20160731
Jiangmin 20160801
K7AntiVirus 20160731
K7GW 20160801
Kaspersky 20160731
Kingsoft 20160801
Malwarebytes 20160801
McAfee 20160801
McAfee-GW-Edition 20160731
eScan 20160801
Microsoft 20160801
NANO-Antivirus 20160801
Panda 20160731
Qihoo-360 20160801
SUPERAntiSpyware 20160731
Sophos 20160801
Symantec 20160801
Tencent 20160801
TheHacker 20160729
TrendMicro 20160801
TrendMicro-HouseCall 20160801
VBA32 20160729
VIPRE 20160801
ViRobot 20160731
Zillya 20160731
Zoner 20160801
nProtect 20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy
---------------------------------------------------------------------------------------------------------------------------
VirusTotal
SHA256: 6b3b00eb062b2b595eca8eaf08d402be747342f66a800072f82266d099771ed0
File name: MBR.dat
Detection ratio: 0 / 53
Analysis date: 2016-08-01 03:59:06 UTC ( 0 minutes ago )
0
0
Analysis
Additional information
Comments
Votes
Antivirus Result Update
ALYac 20160731
AVG 20160801
AVware 20160801
Ad-Aware 20160801
AegisLab 20160801
AhnLab-V3 20160731
Alibaba 20160730
Antiy-AVL 20160801
Arcabit 20160731
Avast 20160801
Avira (no cloud) 20160731
Baidu 20160730
BitDefender 20160801
Bkav 20160727
CAT-QuickHeal 20160730
CMC 20160728
ClamAV 20160801
Comodo 20160801
Cyren 20160801
DrWeb 20160801
ESET-NOD32 20160731
Emsisoft 20160801
F-Prot 20160801
F-Secure 20160801
Fortinet 20160801
GData 20160801
Ikarus 20160731
Jiangmin 20160801
K7AntiVirus 20160731
K7GW 20160801
Kaspersky 20160731
Kingsoft 20160801
Malwarebytes 20160801
McAfee 20160801
McAfee-GW-Edition 20160731
eScan 20160801
Microsoft 20160801
NANO-Antivirus 20160801
Panda 20160731
Qihoo-360 20160801
SUPERAntiSpyware 20160731
Sophos 20160801
Symantec 20160801
Tencent 20160801
TheHacker 20160729
TrendMicro 20160801
TrendMicro-HouseCall 20160801
VBA32 20160729
VIPRE 20160801
ViRobot 20160801
Zillya 20160731
Zoner 20160801
nProtect 20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy
-----------------------------------------------------------------------------------------------------------------------------------
Combofix log
ComboFix 16-07-25.01 - Owner 07/31/2016 21:24:21.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.523 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Panda Free Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: Panda Firewall *Disabled* {1337562C-110A-4AF8-B12B-750C0B30E802}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk"
"c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk"
"c:\program files\Common Files\AOL\Loader\aolload.exe"
"c:\windows\pss\_uninst_.lnkStartup"
"c:\windows\pss\Oemreset.lnk"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4\freeanyburn_setup.exe
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4\freeanyburn_setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_asdids
.
.
((((((((((((((((((((((((( Files Created from 2016-07-01 to 2016-08-01 )))))))))))))))))))))))))))))))
.
.
2016-07-31 23:47 . 2015-05-22 08:45 50832 ----a-w- c:\windows\system32\drivers\PSKMAD.sys
2016-07-30 02:11 . 2016-07-30 02:12 380928 ----a-w- C:\9ik17ki1.exe
2016-07-29 14:18 . 2016-07-29 14:18 -------- d-----w- c:\program files\UPHClean
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-07-31 23:59 . 2014-09-01 19:12 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-07-31 23:59 . 2014-08-03 00:51 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-07-26 14:30 . 2014-08-27 02:07 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-07-18 01:23 . 2014-08-04 01:32 796352 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-07-18 01:23 . 2014-08-04 01:32 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2016-06-02 2623456]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"PSUAMain"="c:\program files\Panda Security\Panda Security Protection\PSUAMain.exe" [2015-10-22 54520]
"BDAntiCryptoLocker"="c:\program files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe" [2016-05-16 1242144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2016-03-24 134480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Oemreset.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk
backup=c:\windows\pss\Oemreset.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^_uninst_.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 04:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 10:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\CheckPoint\\ZoneAlarm\\vsmon.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [11/15/2015 6:30 PM 50016]
R1 NNSALPC;NNSAlpc;c:\windows\system32\drivers\NNSAlpc.sys [7/9/2015 8:37 AM 87032]
R1 NNSHTTP;NNSHttp;c:\windows\system32\drivers\NNSHttp.sys [7/9/2015 8:37 AM 202104]
R1 NNSHTTPS;NNSHttps;c:\windows\system32\drivers\NNSHttps.sys [7/9/2015 8:37 AM 109688]
R1 NNSIDS;NNSids;c:\windows\system32\drivers\NNSIds.sys [7/9/2015 8:37 AM 121720]
R1 NNSPICC;NNSPicc;c:\windows\system32\drivers\NNSpicc.sys [7/9/2015 8:37 AM 102264]
R1 NNSPIHS;NNSPihs;c:\windows\system32\drivers\NNSpihs.sys [7/9/2015 8:37 AM 52088]
R1 NNSPOP3;NNSPop3;c:\windows\system32\drivers\NNSPop3.sys [7/9/2015 8:37 AM 120568]
R1 NNSPROT;NNSProt;c:\windows\system32\drivers\NNSProt.sys [7/9/2015 8:37 AM 281720]
R1 NNSPRV;NNSPrv;c:\windows\system32\drivers\NNSPrv.sys [7/9/2015 8:37 AM 209016]
R1 NNSSMTP;NNSSmtp;c:\windows\system32\drivers\NNSSmtp.sys [7/9/2015 8:37 AM 108408]
R1 NNSSTRM;NNSStrm;c:\windows\system32\drivers\NNSStrm.sys [7/9/2015 8:37 AM 240376]
R1 NNSTLSC;NNSTlsc;c:\windows\system32\drivers\NNStlsc.sys [7/9/2015 8:37 AM 94968]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [7/19/2015 9:46 AM 172792]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [11/15/2015 6:30 PM 742368]
R2 NanoServiceMain;Panda Protection Service;c:\program files\Panda Security\Panda Security Protection\PSANHost.exe [10/18/2015 2:32 AM 142072]
R2 PandaAgent;Panda Devices Agent;c:\program files\Panda Security\Panda Devices Agent\AgentSvc.exe [2/22/2016 6:24 PM 73176]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/19/2015 9:46 AM 140792]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/19/2015 9:46 AM 103288]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [7/19/2015 9:46 AM 114680]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/19/2015 9:46 AM 125176]
R2 PSINReg;PSINReg;c:\windows\system32\drivers\PSINReg.sys [7/19/2015 9:46 AM 100600]
R2 PSUAService;Panda Product Service;c:\program files\Panda Security\Panda Security Protection\PSUAService.exe [10/22/2015 9:42 AM 38136]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [10/19/2015 10:22 AM 96272]
R3 NNSNAHS;Network Activity Hook Server Service;c:\windows\system32\drivers\NNSNAHS.sys [5/20/2015 3:18 AM 55216]
R3 PSKMAD;PSKMAD;c:\windows\system32\drivers\PSKMAD.sys [7/31/2016 4:47 PM 50832]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mbamchameleon
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\41qyd9cm.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-07-31 21:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\.Default\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\program files\Bitdefender\Tools\BDAntiRansomware\InjectionDll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2016-07-31 21:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2016-08-01 04:54
ComboFix2.txt 2016-07-30 15:45
.
Pre-Run: 33,290,543,104 bytes free
Post-Run: 33,231,155,200 bytes free
.
- - End Of File - - F4724DA58F2F828D164690D21711BB89
620801C51A4A223B7167BE50689BA748
Edited by koolkat1939, 01 August 2016 - 11:01 AM.