GoatWhisperer Posted January 1, 2012 ID:512089 Share Posted January 1, 2012 Malwarebytes succesfully removed all traces of win 7 antivirus hijack, except pup.bitminer.Combofix results follow in post. After combofix, all executible file operations, including Malwarebytes, result in: "Illegal operation attempted on a registry key that has been marked for deletion" pop-up window.Now favoring online, public executions of virus creators; willing to pull trap door lever.--ComboFix 11-12-31.03 - HP _Pavilion_dv6 01/01/2012 7:19.1.8 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6092.4744 [GMT -5:00]Running from: c:\users\HP _Pavilion_dv6\Desktop\ComboFix.exeAV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\programdata\Roamingc:\windows\assembly\temp\@c:\windows\assembly\temp\bckfg.tmpc:\windows\assembly\temp\cfg.inic:\windows\assembly\temp\keywordsc:\windows\system32\consrv.dllc:\windows\system32\java.exec:\windows\System64..((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))..2012-01-01 12:23 . 2012-01-01 12:23 -------- d-----w- c:\users\Default\AppData\Local\temp2012-01-01 04:16 . 2012-01-01 04:16 -------- d-----w- c:\users\HP _Pavilion_dv6\AppData\Roaming\Malwarebytes2012-01-01 04:16 . 2012-01-01 04:16 -------- d-----w- c:\programdata\Malwarebytes2012-01-01 04:16 . 2012-01-01 05:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2012-01-01 04:16 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys2011-12-17 13:46 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll2011-12-17 13:42 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys2011-12-17 13:42 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll2011-12-17 13:42 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll2011-12-17 13:42 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll2011-12-17 13:42 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll2011-12-06 18:55 . 2011-12-06 18:55 -------- d-----w- c:\programdata\Synaptics2011-12-06 18:43 . 2011-12-06 18:42 654336 ------w- c:\windows\system32\stapi64.dll2011-12-06 18:43 . 2011-12-06 18:42 528384 ----a-w- c:\windows\system32\drivers\stwrt64.sys2011-12-06 18:43 . 2011-12-06 18:42 431616 ----a-w- c:\windows\system32\stcplx64.dll2011-12-06 18:43 . 2011-12-06 18:42 1965056 ----a-w- c:\windows\system32\stapo64.dll2011-12-06 18:42 . 2011-12-06 18:43 -------- d-----w- c:\program files\IDT2011-12-06 18:41 . 2011-05-20 14:53 557848 ----a-w- c:\windows\system32\drivers\iaStor.sys2011-12-06 18:41 . 2011-12-06 18:41 -------- d-----w- c:\users\HP _Pavilion_dv6\AppData\Roaming\InstallShield2011-12-06 18:41 . 2011-12-06 18:40 9888360 ----a-w- c:\windows\SysWow64\RtsPStorIcon.dll2011-12-06 18:40 . 2011-12-06 18:40 -------- d-----w- c:\programdata\Intel2011-12-06 18:39 . 2011-12-06 18:39 -------- d-----w- c:\program files (x86)\Cisco2011-12-06 18:36 . 2011-12-06 18:36 91648 ----a-w- c:\windows\system32\drivers\nusb3hub.sys2011-12-06 18:36 . 2011-12-06 18:36 81920 ----a-w- c:\windows\system32\nusb3co2.dll2011-12-06 18:36 . 2011-12-06 18:36 208896 ----a-w- c:\windows\system32\drivers\nusb3xhc.sys2011-12-06 18:35 . 2011-12-06 18:35 66856 ----a-w- c:\windows\SysWow64\SynTPEnhPS.dll2011-12-06 18:35 . 2011-12-06 18:35 276264 ----a-w- c:\windows\system32\SynCtrl.dll2011-12-06 18:35 . 2011-12-06 18:35 226600 ----a-w- c:\windows\system32\SynTPAPI.dll2011-12-06 18:35 . 2011-12-06 18:35 222504 ----a-w- c:\windows\SysWow64\SynCtrl.dll2011-12-06 18:35 . 2011-12-06 18:35 177448 ----a-w- c:\windows\SysWow64\SynCOM.dll2011-12-06 18:35 . 2011-12-06 18:35 148264 ----a-w- c:\windows\system32\SynTPCo9.dll2011-12-06 18:35 . 2011-12-06 18:35 1451056 ----a-w- c:\windows\system32\drivers\SynTP.sys2011-12-06 18:35 . 2011-12-06 18:35 107816 ----a-w- c:\windows\SysWow64\SynTPCOM.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-12-06 18:42 . 2011-08-29 13:44 442368 ----a-w- c:\windows\system32\AESTEC64.dll2011-12-06 18:42 . 2011-08-29 13:44 221184 ----a-w- c:\windows\system32\HPToneCtrls64.dll2011-12-06 18:42 . 2011-08-29 13:44 6382080 ----a-w- c:\windows\system32\IDTNGUI.exe2011-12-06 18:42 . 2011-08-29 13:44 4933120 ----a-w- c:\windows\system32\IDTNHP.dll2011-12-06 18:42 . 2011-08-29 13:44 4779520 ----a-w- c:\windows\system32\stlang64.dll2011-12-06 18:42 . 2011-08-29 13:44 212480 ----a-w- c:\windows\system32\IDTNJ.exe2011-12-06 18:42 . 2011-08-29 13:44 1523712 ----a-w- c:\windows\system32\IDTNC64.cpl2011-12-06 18:42 . 2011-08-29 13:44 1128448 ----a-w- c:\windows\sttray64.exe2011-12-06 18:42 . 2011-08-29 13:44 1029120 ----a-w- c:\windows\system32\IDTNX.dll2011-12-06 18:42 . 2011-08-29 13:44 224256 ----a-w- c:\windows\system32\staco64.dll2011-12-06 18:42 . 2011-08-29 13:44 68608 ----a-w- c:\windows\system32\AESTAR64.dll2011-12-06 18:42 . 2011-08-29 13:44 162304 ----a-w- c:\windows\system32\AESTAC64.dll2011-12-06 18:42 . 2011-08-29 13:44 90624 ----a-w- c:\windows\system32\AESTCo64.dll2011-12-06 18:40 . 2011-08-29 13:44 338536 ----a-w- c:\windows\system32\drivers\RtsPStor.sys2011-12-06 18:35 . 2010-12-17 02:26 411944 ----a-w- c:\windows\system32\SynCOM.dll2011-10-03 23:11 . 2011-10-03 23:11 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-10-03 17:19 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-12-06 113288]"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-07-11 574008]"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFMS0ctWU9CNkYtMlk0WFAtQUVPS08tQkszRE0tMg&inst=NzYtOTM3ODAwMzA4LVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE∏=92&ver=2012.0.1834&mid=65d2314623f847d18b3dc15632f54768-891365ebb3de5613ea22433b7c91de5174cfa95c" [?].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"EnableShellExecuteHooks"= 1 (0x1).[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 136176]R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 136176]R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-09-05 64952]S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-12-06 89600]S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-31 1166848]S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-09-01 227896]S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-07-11 26680]S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-12-06 2413056]S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-22 2656280]S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [x]..Contents of the 'Scheduled Tasks' folder.2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 22:48].2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 22:48].2011-12-29 c:\windows\Tasks\HPCeeScheduleForHP _Pavilion_dv6.job- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15].2011-12-29 c:\windows\Tasks\HPCeeScheduleForHP_PAVILION_DV6$.job- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]..--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-15 168216]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-15 392472]"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-15 416024]"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-12-06 1128448]"combofix"="c:\combofix\CF5357.3XE" [2010-11-21 345088].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uStart Page = hxxp://www.scroogle.org/scraper.htmluLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmIE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204FF - ProfilePath - c:\users\HP _Pavilion_dv6\AppData\Roaming\Mozilla\Firefox\Profiles\ycw2uolo.default\FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/scraper.htmlFF - prefs.js: network.proxy.type - 0.- - - - ORPHANS REMOVED - - - -.HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exeAddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exeAddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exeAddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\windows\SysWOW64\ezSharedSvcHost.exec:\program files (x86)\CyberLink\YouCam\YCMMirage.exec:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe.**************************************************************************.Completion time: 2012-01-01 07:28:15 - machine was rebootedComboFix-quarantined-files.txt 2012-01-01 12:28.Pre-Run: 435,259,858,944 bytes freePost-Run: 434,507,698,176 bytes free.- - End Of File - - 3BBFF4CEA9021E6CF4FA78B3012A3374log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 18, 2012 ID:528163 Share Posted February 18, 2012 Hello,Provide an update on current situation.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallClose all open browsers at this point.Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.Using Internet Explorer browser only, go to ESET Online Scanner website:http://www.eset.com/onlinescan/Accept the Terms of Use and press Start button;Approve the install of the required ActiveX Control, then follow on-screen instructions;Enable (check) the Remove found threats option, and run the scan.After the scan completes, the Details tab in the Results window will display what was found and removed. A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt. Look at contents of this file using Notepad or Wordpad.The Frequently Asked Questions for ESET Online Scanner can be viewed herehttp://go.eset.com/us/online-scanner/faqIt is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner. (And the prompt re-enabling when finished.) If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.Do not use the system while the scan is running. Once the full scan is underway, go take a long break Re-enable the antivirus program.Reply with copy of the Eset scan logIf we do not hear from you within 3 days, this topic will be closed. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 20, 2012 ID:528806 Share Posted February 20, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts