oddie121

I should note, the other tool i did try was http://www.kaspersky.com/antivirus-removal-tool?form=1Kaspersky Antivirus-Removal-Tool which is almost the same as TDSSKiller. This however didn't find anything.

Alright, I believe i found the malware and got it resolved. This article helped point me in the correct direction - http://www.solutionary.com/resource-center/blog/2012/12/hunting-malware-with-memory-analysis/ After searching on Shylock Trojan an article pointed me to Norton Power Ereaser https://security.symantec.com/nbrt/npe.aspx?lcid=1033or Microsoft Security Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx After running Norton Power Ereaser it found p2pcollab.dll to be malware and not in the correct location. I found it to not be in the correct loction upon doing searches for the file location on a known good machine and google. I did have to uncheck a bunch of the files above that were known "good" files. They were apart of a business program. I did this by clicking on each name under "risk" and reviewing the file location and what it thought the threat was. I left the AVG ones to remove as they were in the temp location and didn't seem to be doing any harm. Unpon the removal it stated that it failed to remove the p2pcollab.dll but upon inspecting further it simply failed to remove a couple of entries after the reboot. Its now been running for a hour without starting additional (mulitple) explorer.exe. I've also reviewed Netstat and this is clean as well with no radom or rogue http connections. nestat2.txt I'll watch it further and report back if it came back. However by now it would have already appeared.

I dont' see any other log files other than the TDSSKiller.3.0.0.41_<date>_<time>_log.txt files on C:\ nor on the desktop where it was run from. All files are unhidden. I've attached the logs from every run i've done with TDSSKiller. TDSSKiller.3.0.0.40_24.11.2014_21.32.00_log.txt TDSSKiller.3.0.0.40_28.10.2014_22.26.19_log.txt TDSSKiller.3.0.0.41_04.12.2014_19.51.56_log.txt TDSSKiller.3.0.0.41_04.12.2014_19.57.21_log.txt TDSSKiller.3.0.0.41_24.11.2014_21.32.53_log.txt TDSSKiller.3.0.0.41_24.11.2014_21.37.06_log.txt TDSSKiller.3.0.0.41_24.11.2014_21.47.58_log.txt TDSSKiller.3.0.0.41_25.11.2014_12.13.56_log.txt TDSSKiller.3.0.0.41_25.11.2014_12.19.14_log.txt TDSSKiller.3.0.0.41_25.11.2014_12.25.06_log.txt

Sorry, what do you mean by both TDSKiller reports? I attached the report above https://forums.malwarebytes.org/index.php?/topic/161434-2-explorerexe-high-mem-high-cpu/#entry915800as requested from the post before that.

TwinHeadedEagle, I appricate that the tools all state its clean but i don't believe it is. As you can see from the attached picture / capture the additional expolrer.exe is from the same user name. No other users were logged in nor was i remoted to the system. As well, to do TDSKiller's module i had to reboot and the screen capture was done as soon as TDSKiller was done running. There's still a high connection amount out to the internet which leads me to believe something else is running the system up. The user even states it can run very slow at times, which i've seen, and other times runs correctly. As in my previous post with the netstat, it shows connections via http going to an address that when doing a who is shows up as a known site for malware. https://www.virustotal.com/en/ip-address/209.15.224.6/information/ . Is there something else, other than the normal toolset, that can be run to see where all the connections are coming from or explorer.exe is using all the memory to? Or a tool that can relate the IPAddresses in use to a virus?

In addition this poped up in notepad and not sure how it opened or came up, not sure if this is related or not. When trying to save it to see where it came from it defaulted to the normal save location. When i saved it even as a text document it saved as a shortcut. I resaved it forcing it as a txt document. Google Chrome.txt

Here is the TDSKiller Log and FarBar Log. Just to show it's still going. Sorry for the delay again. TDSSKiller.3.0.0.41_04.12.2014_19.51.56_log.txt FRST.txt Addition.txt

Sorry, I haven't had a chance to get back to the client to run the additional tests yet. I'll hopefully get to it in the next day or so. Sorry again for the delay.

Please give me a few days as the office is on holiday to do the additional tasks.

Also tested a new user that has never logged on, the 2nd explorer.exe starts up and starts running a few minutes after login.

Still multiple explorer.exe's running high even after an end task still creating lots of connections out to the internet as well. See attached snipbits from taskmanager, netstat -a, and from router. netstat.txt

Sorry, TwinHeadedEagle i have not tried other users. Would you like me to log in as another user? Here is the log from the fixlog.txt Fixlog.txt

Sorry about the in post copy, Was trying to follow the other inital form post rule. Please see the attached as you requested TwinHeadedEaglesystem-log.txtmbar-log-2014-11-25 (13-28-48).txtFRST.txtAddition.txt

Hi, I've got a system that keeps running multiple Explorer.exe's (specifically 2). Uses all available Memory and CPU Previously it had some virus's removed from it. I see it creating multiple connections out to the internet (DD-WRT is showing about 1,000-2,000) at times. The computer slows to a crawl. Ending task on the rouge explorer.exe simply pops up after a few min. I've ran combofix, adwcleaner, TDSKiller, System is running AVG Business, Malwarebytes free, Malwarebytes anti-rootkid, and RogueKiller. Temp files were cleared, SFC /scannow ran. Here is the Farbar report. Also attached additional.txt from Farbar and Combix log after running clearJavaCache. Your assistance in this is appricated . --------------------------FRST.txt------------------------------ Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01 Ran by nwitkowski (administrator) on NANCY2 on 25-11-2014 13:39:29 Running from \\server12\support$\Installs\MalwareTools Loaded Profiles: <DomainUser> & (Available profiles:<DomainUser> & Administrator & <localUser> & <LocalUser2>) Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States) Internet Explorer Version 11 Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.wireshark.org) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-260401117-2913636678-2054379164-1175-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\p2pcollab.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-260401117-2913636678-2054379164-1175_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\p2pcollab.dll (Microsoft Corporation) ==================== Restore Points ========================= 18-11-2014 15:25:18 Installed TightVNC 18-11-2014 20:16:55 Dell Updates 18-11-2014 20:26:31 Dell Updates 18-11-2014 23:51:54 Dell Updates 18-11-2014 23:53:12 Installed Realtek Ethernet Controller All-In-One Windows Driver 19-11-2014 00:17:39 Windows Update 20-11-2014 09:00:12 Windows Update 25-11-2014 09:00:11 Windows Update ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 20:34 - 2014-11-25 12:35 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {0C99879C-D5E9-478F-8C83-45F12C4833FA} - System32\Tasks\{49504E78-8FA4-4CB1-9F66-881BF42FB98C} => M:\empire\programs\nempmain.exe [2012-08-20] () Task: {528B9845-8D06-4DD8-B3B6-3F4F2D9AB8BF} - System32\Tasks\Amazon Music Helper => C:\Users\nwitkowski\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [2014-01-14] () Task: {61852FA1-40F3-42F9-9E4A-3D432C3E6E10} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16] (Google Inc.) Task: {73321DFF-F02A-4164-A5EC-872ADB640BEA} - \BackgroundContainer Startup Task No Task File <==== ATTENTION Task: {9FE2D938-1414-416C-B54B-6929668F802E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc Task: {A2770A32-7B70-4631-8CD3-E78CC8F327B0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16] (Google Inc.) Task: {EEDD65B3-8E23-49DA-969F-57AD7287294E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.) Task: {FA43C149-213A-4E95-98FF-A6361D296301} - System32\Tasks\Dell\Client System Update => C:\Program Files (x86)\Dell\ClientSystemUpdate\DellClientSystemUpdate.exe [2012-10-11] (Dell Inc.) Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2011-02-18 18:36 - 2011-02-18 18:36 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll 2010-08-26 16:12 - 2010-08-26 16:12 - 00016384 ____R () c:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll 2014-07-31 11:16 - 2014-07-31 11:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll 2014-07-31 11:16 - 2014-07-31 11:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" MSCONFIG\startupreg: Adobe Acrobat Synchronizer => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: Amazon Cloud Player => "C:\Users\nwitkowski\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe" MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" MSCONFIG\startupreg: DBRMTray => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: PDVD9LanguageShortcut => "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" MSCONFIG\startupreg: RemoteControl9 => "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" ========================= Accounts: ========================== Administrator (S-1-5-21-3992961909-2664608981-1086464681-500 - Administrator - Disabled) Guest (S-1-5-21-3992961909-2664608981-1086464681-501 - Limited - Disabled) <LocalUser> (S-1-5-21-3992961909-2664608981-1086464681-1000 - Administrator - Enabled) => C:\Users\<localuser> <DomainUser> (S-1-5-21-3992961909-2664608981-1086464681-1001 - Administrator - Enabled) => C:\Users\<domainUser> ==================== Faulty Device Manager Devices ============= Name: Teredo Tunneling Pseudo-Interface Description: Microsoft Teredo Tunneling Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: PS/2 Compatible Mouse Description: PS/2 Compatible Mouse Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== Error: (11/25/2014 00:44:47 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/25/2014 00:19:27 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/25/2014 00:07:35 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4 Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24 Exception code: 0xc000041d Fault offset: 0x0000000000053290 Faulting process id: 0xe24 Faulting application start time: 0xExplorer.EXE0 Faulting application path: Explorer.EXE1 Faulting module path: Explorer.EXE2 Report Id: Explorer.EXE3 Error: (11/25/2014 00:07:27 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4 Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24 Exception code: 0xc0000005 Fault offset: 0x0000000000053290 Faulting process id: 0xe24 Faulting application start time: 0xExplorer.EXE0 Faulting application path: Explorer.EXE1 Faulting module path: Explorer.EXE2 Report Id: Explorer.EXE3 Error: (11/25/2014 11:47:16 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4 Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24 Exception code: 0xc0000374 Fault offset: 0x00000000000c4102 Faulting process id: 0x1be8 Faulting application start time: 0xExplorer.EXE0 Faulting application path: Explorer.EXE1 Faulting module path: Explorer.EXE2 Report Id: Explorer.EXE3 Error: (11/25/2014 10:54:31 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4 Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24 Exception code: 0xc0000374 Fault offset: 0x00000000000c4102 Faulting process id: 0x444 Faulting application start time: 0xExplorer.EXE0 Faulting application path: Explorer.EXE1 Faulting module path: Explorer.EXE2 Report Id: Explorer.EXE3 Error: (11/24/2014 09:56:49 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 09:37:26 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 02:19:53 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 01:47:54 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 System errors: ============= Error: (11/25/2014 01:23:09 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (11/25/2014 01:20:57 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (11/25/2014 00:55:58 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (11/25/2014 00:54:00 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (11/25/2014 00:45:49 PM) (Source: BROWSER) (EventID: 8032) (User: ) Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{36CE2412-C11C-4BE8-AAD0-0F7DAA9FFADA}. The backup browser is stopping. Error: (11/25/2014 00:44:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY) Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC) Error: (11/25/2014 00:43:44 PM) (Source: Service Control Manager) (EventID: 7006) (User: ) Description: The ScRegSetValueExW call failed for FailureActions with the following error: %%5 Error: (11/25/2014 00:35:50 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (11/25/2014 00:35:19 PM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Error: (11/25/2014 00:33:39 PM) (Source: BROWSER) (EventID: 8032) (User: ) Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{36CE2412-C11C-4BE8-AAD0-0F7DAA9FFADA}. The backup browser is stopping. Microsoft Office Sessions: ========================= Error: (11/25/2014 00:44:47 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/25/2014 00:19:27 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/25/2014 00:07:35 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000041d0000000000053290e2401d008d7e848cce5C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dllee2f9800-74cd-11e4-8222-d4bed9bb7972 Error: (11/25/2014 00:07:27 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c00000050000000000053290e2401d008d7e848cce5C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dlle9d80478-74cd-11e4-8222-d4bed9bb7972 Error: (11/25/2014 11:47:16 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000037400000000000c41021be801d008d0829935bfC:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dll1797dba5-74cb-11e4-8222-d4bed9bb7972 Error: (11/25/2014 10:54:31 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000037400000000000c410244401d008b77288b240C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dllb96de397-74c3-11e4-8222-d4bed9bb7972 Error: (11/24/2014 09:56:49 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 09:37:26 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 02:19:53 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (11/24/2014 01:47:54 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 CodeIntegrity Errors: =================================== Date: 2014-11-25 12:35:19.603 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-11-25 12:35:19.588 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-11-18 09:25:02.318 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-29 00:07:53.271 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 23:59:00.592 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 23:34:50.077 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 23:25:02.989 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 23:16:47.421 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 23:06:02.116 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. Date: 2014-10-28 22:25:16.398 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel® Pentium® CPU G850 @ 2.90GHz Percentage of memory in use: 41% Total physical RAM: 4069.06 MB Available physical RAM: 2391.34 MB Total Pagefile: 8136.3 MB Available Pagefile: 5953.55 MB Total Virtual: 8192 MB Available Virtual: 8191.81 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:220.59 GB) (Free:159.43 GB) NTFS Drive m: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS Drive s: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS Drive t: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 95A2D1A7) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=12.3 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=220.6 GB) - (Type=07 NTFS) ==================== End Of Log ============================ ----------------------End Additonal.txt------------------------------- ----------------------Combofix.txt---------------------------------- ComboFix 14-11-25.01 - nwitkowski 11/25/2014 13:16:32.3.2 - x64 Running from: c:\users\nwitkowski\Downloads\ComboFix.exe Command switches used :: c:\users\nwitkowski\Downloads\CFScript.txt AV: AVG Internet Security Business Edition *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: AVG Internet Security Business Edition *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2014-10-25 to 2014-11-25 ))))))))))))))))))))))))))))))) . . 2014-11-25 19:23 . 2014-11-25 19:23 -------- d-----w- c:\users\<DomainUser>\AppData\Local\temp 2014-11-25 19:23 . 2014-11-25 19:23 -------- d-----w- c:\users\<localuser>\AppData\Local\temp 2014-11-25 19:23 . 2014-11-25 19:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-11-25 19:23 . 2014-11-25 19:23 -------- d-----w- c:\users\administrator\AppData\Local\temp 2014-11-25 03:33 . 2014-11-25 03:32 4184008 ----a-w- C:\TDSSKiller.exe 2014-11-24 20:28 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2014-11-24 20:28 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2014-11-19 17:22 . 2014-11-19 17:22 -------- d-----w- c:\users\nwitkowski\AppData\Roaming\Wireshark 2014-11-19 17:19 . 2014-11-19 17:19 -------- d-----w- c:\program files (x86)\WinPcap 2014-11-19 17:18 . 2014-11-19 17:19 -------- d-----w- c:\program files\Wireshark 2014-11-19 00:17 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll 2014-11-19 00:17 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll 2014-11-19 00:17 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll 2014-11-19 00:17 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll 2014-11-18 23:53 . 2012-07-16 23:28 74344 ----a-w- c:\windows\system32\RtNicProp64.dll 2014-11-18 23:53 . 2012-07-16 23:28 685672 ----a-w- c:\windows\system32\drivers\Rt64win7.sys 2014-11-18 23:53 . 2014-11-18 23:53 -------- d-----w- c:\program files (x86)\Realtek 2014-11-18 23:52 . 2011-09-22 06:19 56600 ----a-w- c:\windows\system32\drivers\HECIx64.sys 2014-11-18 20:34 . 2014-11-18 20:34 -------- d-----w- c:\windows\{69093D49-3DD1-4FB5-A378-0D4DB4CF86EA} 2014-11-18 20:17 . 2011-04-16 12:00 53248 ----a-w- c:\windows\SysWow64\CSVer.dll 2014-11-18 19:34 . 2014-11-18 19:34 0 ----a-w- c:\windows\invcol.tmp 2014-11-18 19:33 . 2014-11-18 20:17 -------- d-----w- c:\users\<Domainuser>\AppData\Local\Dell 2014-11-18 15:25 . 2014-11-18 15:25 -------- d-----w- c:\program files\TightVNC 2014-11-18 15:25 . 2014-11-18 15:25 -------- d-----w- c:\programdata\TightVNC 2014-11-12 13:19 . 2014-11-12 13:19 -------- d-sh--w- c:\users\nwitkowski\AppData\Local\EmieBrowserModeList 2014-11-12 02:42 . 2014-11-05 17:56 304640 ----a-w- c:\windows\system32\generaltel.dll 2014-11-12 02:42 . 2014-11-05 17:56 228864 ----a-w- c:\windows\system32\aepdu.dll 2014-11-12 02:42 . 2014-11-05 17:52 424448 ----a-w- c:\windows\system32\aeinv.dll 2014-11-12 02:42 . 2014-10-14 02:16 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2014-11-12 02:42 . 2014-10-14 02:13 683520 ----a-w- c:\windows\system32\termsrv.dll 2014-11-12 02:42 . 2014-10-14 02:12 1460736 ----a-w- c:\windows\system32\lsasrv.dll 2014-11-12 02:42 . 2014-10-14 02:09 146432 ----a-w- c:\windows\system32\msaudite.dll 2014-11-12 02:42 . 2014-10-14 02:07 681984 ----a-w- c:\windows\system32\adtschema.dll 2014-11-12 02:42 . 2014-10-14 01:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2014-11-12 02:42 . 2014-10-14 01:49 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2014-11-12 02:42 . 2014-10-14 01:47 146432 ----a-w- c:\windows\SysWow64\msaudite.dll 2014-11-12 02:42 . 2014-10-14 01:46 681984 ----a-w- c:\windows\SysWow64\adtschema.dll 2014-11-12 02:40 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll 2014-11-10 15:32 . 2014-11-10 15:32 -------- d-----w- c:\users\<DomainUser>\AppData\Roaming\ImageRight 2014-11-10 15:06 . 2014-11-25 18:07 -------- d-----w- c:\users\<DomainUser>\AppData\Local\CrashDumps 2014-11-10 13:51 . 2014-11-10 13:51 -------- d-----w- c:\users\<DomainUser>\AppData\Local\Vertafore,_Inc 2014-11-07 23:16 . 2014-11-07 23:16 -------- d-----w- c:\program files (x86)\Common Files\BCL Technologies 2014-11-07 23:16 . 2014-11-07 23:31 -------- d-----w- c:\program files (x86)\ImageRight 2014-11-07 23:16 . 2014-11-07 23:16 -------- d-----w- c:\program files\Common Files\BCL Technologies 2014-11-07 20:02 . 2014-11-07 23:15 -------- d-----w- c:\program files (x86)\Belarc 2014-11-04 06:30 . 2014-11-04 06:30 209720 ----a-w- c:\windows\system32\drivers\avgldx64.sys 2014-10-29 04:37 . 2014-10-29 04:42 -------- d-----w- C:\AdwCleaner 2014-10-29 04:24 . 2014-10-29 04:24 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2014-10-29 04:24 . 2014-10-29 04:24 -------- d-----w- c:\programdata\RogueKiller 2014-10-29 02:08 . 2014-11-25 18:11 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-10-29 02:07 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys 2014-10-29 02:07 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-10-29 02:07 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-10-29 02:07 . 2014-10-29 02:07 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-11-12 09:02 . 2012-02-24 19:16 103374192 ----a-w- c:\windows\system32\MRT.exe 2014-10-17 21:34 . 2014-10-17 21:34 240952 ----a-w- c:\windows\system32\drivers\avgtdia.sys 2014-09-25 02:08 . 2014-10-01 10:12 371712 ----a-w- c:\windows\system32\qdvd.dll 2014-09-25 01:40 . 2014-10-01 10:12 519680 ----a-w- c:\windows\SysWow64\qdvd.dll 2014-09-09 22:11 . 2014-09-23 22:04 2048 ----a-w- c:\windows\system32\tzres.dll 2014-09-09 21:47 . 2014-09-23 22:04 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2014-09-05 02:11 . 2014-10-15 12:30 6584320 ----a-w- c:\windows\system32\mstscax.dll 2014-09-05 01:52 . 2014-10-15 12:30 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll 2014-09-04 12:51 . 2014-09-04 12:51 55872 ----a-w- c:\windows\system32\AdobePDF.dll 2014-09-04 12:50 . 2014-09-04 12:50 27208 ----a-w- c:\windows\system32\AdobePDFUI.dll 2014-09-04 05:23 . 2014-10-15 12:31 424448 ----a-w- c:\windows\system32\rastls.dll 2014-09-04 05:04 . 2014-10-15 12:31 372736 ----a-w- c:\windows\SysWow64\rastls.dll 2014-09-03 13:58 . 2010-06-24 17:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2014-08-29 02:07 . 2014-10-15 12:31 3179520 ----a-w- c:\windows\system32\rdpcorets.dll 2014-08-28 19:49 . 2014-08-28 19:49 699568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2014-08-28 19:49 . 2012-02-17 04:03 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-19 336384] "AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2014-11-04 4411952] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SpUninstallDeleteDir"="rmdir" [X] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "SoftwareSASGeneration"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R3 bepldr7ImageRightService;ImageRight easyPDF SDK 7 Loader;c:\program files\Common Files\BCL Technologies\ImageRight7\bepldr.exe;c:\program files\Common Files\BCL Technologies\ImageRight7\bepldr.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x] R3 PEERNET Spooler Service;PEERNET Spooler Service;c:\windows\system32\spool\DRIVERS\x64\3\PNSvc8.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\PNSvc8.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x] S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x] S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x] S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x] S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x] S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x] S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe;c:\windows\SysWOW64\atashost.exe [x] S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x] S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x] S2 psqlCE;Pervasive PSQL Client Engine;c:\pvsw\bin\w3dbsmgr.exe;c:\pvsw\bin\w3dbsmgr.exe [x] S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe;c:\program files\TightVNC\tvnserver.exe [x] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2014-11-18 20:13 1087304 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.65\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2014-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16 20:23] . 2014-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16 20:23] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2013-07-19 2179056] "DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = https://www.google.com/webhp?hl=en&tab=ww mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 Trusted Zone: atlanticcasualty.com Trusted Zone: atlanticcasualty.net\aces Trusted Zone: capitolindemnity.com\aqs TCP: DhcpNameServer = 192.192.6.8 192.192.6.5 8.8.8.8 DPF: {D5375A5A-D55D-401F-8B12-EEA52FDBE2BE} - hxxps://co3.capitolindemnity.com/ocx/WydeWeb.cab DPF: {E501A333-172D-429E-B759-BDE2781FA742} - hxxps://co3.capitolindemnity.com/wynsureprod/ocx/WydeWeb.cab . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.14" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2014-11-25 13:25:21 ComboFix-quarantined-files.txt 2014-11-25 19:25 ComboFix2.txt 2014-11-25 18:57 ComboFix3.txt 2014-11-25 18:38 . Pre-Run: 171,255,943,168 bytes free Post-Run: 171,183,190,016 bytes free . - - End Of File - - 1551E47E2D4BD09B52709714CC4522E7 5C616939100B85E558DA92B899A0FC36 -----------------------------End Combofix.txt--------------------------------------