Jump to content

Need help, please


Recommended Posts

Here is the log file. I tried to run combofix again, but it will not run.

All processes killed

========== FILES ==========

C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

File\Folder [EMPTYJAVA] not found.

File\Folder [emptytemp] not found.

OTL by OldTimer - Version 3.2.43.0 log created on 05172012_145802

Link to post
Share on other sites

RogueKiller V7.4.4 [05/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Safe mode with network support

User: XXXX [Admin rights]

Mode: Scan -- Date: 05/17/2012 15:05:42

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤

[sUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : OTL ("C:\Users\XXXX\Desktop\OTL.com") -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721050CLA362 ATA Device +++++

--- User ---

[MBR] 79afe5bcbfc5f257e57928f6acf34914

[bSP] 1f84320b928eeee4fd2e6532c395516f : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Link to post
Share on other sites

2 Subdirectories "L" and "U" and a system file named "@", 2 kb in size.

In L there are 3 files, all 1kb in size : 1afb2d56 , 201d3dde , and 00000004.@

In U there are 6 files, including the one often blocked by avast, 00000008.@ (228 kb)

Link to post
Share on other sites

I was eventually able to delete c:\windows\installer\{2bc322fd-374a-335c-86c0-be0568af8c80} and everything in it. ping.exe is no longer being launched and no more tabs are being opened in my browser. I just launched combofix and it ran this time.

Link to post
Share on other sites

Ok, here is the log from combofix:

ComboFix 12-05-17.05 - XXXX 05/17/2012 18:35:15.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.2985 [GMT -4:00]

Running from: c:\users\XXXX\Desktop\sega.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

---- Previous Run -------

.

C:\install.exe

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

.

((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 )))))))))))))))))))))))))))))))

.

.

2012-05-17 22:43 . 2012-05-17 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-17 18:33 . 2012-05-17 18:33 -------- d-----w- C:\_OTL

2012-05-17 02:22 . 2012-05-17 12:42 -------- d-----w- c:\users\XXXX\AppData\Local\NPE

2012-05-17 02:22 . 2012-05-17 02:22 -------- d-----w- c:\programdata\Norton

2012-05-17 01:44 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-05-17 01:44 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-05-17 01:44 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-05-17 01:44 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-05-17 01:43 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-05-17 01:43 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-05-17 01:43 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr

2012-05-17 01:43 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-05-17 01:25 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe

2012-05-17 01:24 . 2012-05-17 01:43 -------- d-----w- c:\programdata\AVAST Software

2012-05-17 01:24 . 2012-05-17 01:43 -------- d-----w- c:\program files\AVAST Software

2012-05-17 00:53 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-05-17 00:53 . 2012-03-01 06:45 220672 ----a-w- c:\windows\system32\wintrust.dll

2012-05-17 00:53 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll

2012-05-17 00:53 . 2012-03-01 05:49 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-05-17 00:53 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-05-17 00:53 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll

2012-05-17 00:53 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-05-17 00:49 . 2010-11-02 05:17 1169408 ----a-w- c:\windows\system32\taskschd.dll

2012-05-17 00:49 . 2010-11-02 05:16 1114624 ----a-w- c:\windows\system32\schedsvc.dll

2012-05-17 00:49 . 2010-11-02 05:10 464384 ----a-w- c:\windows\system32\taskeng.exe

2012-05-17 00:49 . 2010-11-02 05:18 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll

2012-05-17 00:49 . 2010-11-02 05:17 473600 ----a-w- c:\windows\system32\taskcomp.dll

2012-05-17 00:49 . 2010-11-02 05:10 285696 ----a-w- c:\windows\system32\schtasks.exe

2012-05-17 00:49 . 2010-11-02 04:40 496128 ----a-w- c:\windows\SysWow64\taskschd.dll

2012-05-17 00:49 . 2010-11-02 04:40 305152 ----a-w- c:\windows\SysWow64\taskcomp.dll

2012-05-17 00:49 . 2010-11-02 04:34 192000 ----a-w- c:\windows\SysWow64\taskeng.exe

2012-05-17 00:49 . 2010-11-02 04:34 179712 ----a-w- c:\windows\SysWow64\schtasks.exe

2012-05-17 00:46 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-05-17 00:45 . 2011-03-03 06:14 30208 ----a-w- c:\windows\system32\dnscacheugc.exe

2012-05-17 00:41 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll

2012-05-17 00:41 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2012-05-17 00:41 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll

2012-05-17 00:41 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll

2012-05-16 21:40 . 2012-05-16 21:40 -------- d-----w- c:\users\XXXX\AppData\Roaming\Malwarebytes

2012-05-16 21:40 . 2012-05-16 23:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-16 21:40 . 2012-05-16 21:40 -------- d-----w- c:\programdata\Malwarebytes

2012-05-16 21:40 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-16 18:23 . 2012-05-16 18:23 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-16 13:54 . 2012-05-16 13:54 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-05-09 14:29 . 2012-05-09 14:29 -------- d-----w- c:\program files (x86)\Warlock - Master of the Arcane

2012-05-06 11:40 . 2012-05-06 11:40 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-05-06 11:40 . 2012-05-06 11:40 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-06 11:40 . 2012-05-06 11:40 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe

2012-04-29 18:44 . 2012-04-29 18:44 -------- d-----w- c:\program files (x86)\DROD - Journey to Rooted Hold

2012-04-25 15:12 . 2012-04-25 15:20 -------- d-----w- c:\users\XXXX\AppData\Local\BoH

2012-04-22 03:36 . 2012-02-29 21:00 3089728 ----a-w- c:\windows\system32\nvsvc64.dll

2012-04-22 03:36 . 2012-02-29 21:00 6074176 ----a-w- c:\windows\system32\nvcpl.dll

2012-04-22 03:36 . 2012-02-29 20:59 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-04-22 03:36 . 2012-02-29 20:59 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-04-22 03:36 . 2012-02-29 20:59 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-04-22 03:36 . 2012-02-29 20:59 2515790 ----a-w- c:\windows\system32\nvcoproc.bin

2012-04-22 00:08 . 2012-04-22 00:09 -------- d-----w- c:\programdata\Battle.net

2012-04-21 00:22 . 2012-04-21 00:22 -------- d--h--w- c:\programdata\Common Files

2012-04-21 00:22 . 2012-04-21 00:22 -------- d-----w- c:\users\XXXX\AppData\Roaming\AVG2012

2012-04-21 00:21 . 2012-04-21 01:15 -------- d-----w- c:\programdata\AVG2012

2012-04-21 00:21 . 2012-04-21 00:21 -------- d-----w- c:\program files (x86)\AVG

2012-04-21 00:12 . 2012-04-21 01:14 -------- d-----w- c:\programdata\MFAData

2012-04-19 11:25 . 2012-04-19 11:25 -------- d-----w- c:\program files (x86)\Strategy First

2012-04-18 23:57 . 2012-04-18 23:57 -------- d-----w- c:\programdata\Trymedia

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-16 18:23 . 2012-02-08 11:54 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-02-29 17:26 . 2012-02-29 17:26 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-02-23 14:18 . 2010-12-05 07:08 279656 ------w- c:\windows\system32\MpSigStub.exe

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe

.

((((((((((((((((((((((((((((( SnapShot@2012-05-17_22.23.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-12-05 06:03 . 2012-05-17 22:45 27320 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2012-05-17 22:45 27774 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-12-05 05:56 . 2012-05-17 22:45 11866 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2980796359-892880252-2195086714-1000_UserData.bin

+ 2012-05-17 22:43 . 2012-05-17 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-05-17 21:14 . 2012-05-17 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-05-17 21:14 . 2012-05-17 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-05-17 22:43 . 2012-05-17 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2009-07-14 04:54 . 2012-05-17 22:44 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2012-05-17 21:14 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 02:36 . 2012-05-17 22:33 668836 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2012-05-17 21:21 668836 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-05-17 22:33 125022 c:\windows\system32\perfc009.dat

- 2009-07-14 02:36 . 2012-05-17 21:21 125022 c:\windows\system32\perfc009.dat

+ 2009-07-14 05:01 . 2012-05-17 22:43 302884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2012-05-17 16:05 302884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 04:54 . 2012-05-17 21:14 3538944 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2012-05-17 22:44 3538944 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2012-05-17 21:14 2424832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2012-05-17 22:44 2424832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]

.

c:\users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer9"=wdmaud.drv

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 257696]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-06 129976]

R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSB64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 18:23]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

LSP: mswsock.dll

TCP: DhcpNameServer = 205.152.37.23 205.152.144.23

FF - ProfilePath - c:\users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{f999a48b-1950-4d81-9971-79018f807b4b} - (no file)

AddRemove-Colossus - c:\windows\system32\javaws.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

"??"=hex:7d,cf,5b,34,ec,48,56,42,4e,88,81,b0,58,70,a2,9c,53,42,fb,dd,c7,30,71,

2b,c2,8e,5d,7b,e5,2c,20,76,49,a3,73,c8,75,c3,43,87,85,a3,71,31,ca,c2,89,09,\

"??"=hex:e2,bf,e6,2a,68,02,e7,0c,52,ce,22,c1,42,12,59,53

.

[HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\License information*]

"datasecu"=hex:3c,a9,11,c3,79,9f,72,00,7d,67,71,ff,bc,ee,af,78,a2,74,45,58,80,

1a,0e,82,c7,b5,b9,b9,1e,c7,28,41,16,66,87,aa,ca,e5,71,03,93,5c,e5,b9,af,0d,\

"rkeysecu"=hex:20,5c,10,af,cd,f4,aa,f1,13,38,db,b1,20,73,47,4f

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.bin

.

**************************************************************************

.

Completion time: 2012-05-17 18:50:47 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-17 22:50

.

Pre-Run: 37,393,956,864 bytes free

Post-Run: 37,351,129,088 bytes free

.

- - End Of File - - 44FE77373CC2B4E43723BDA38AD69C95

Link to post
Share on other sites

Upon further scanning,

c:\windows\assembly\GAC_32\Desktop.ini and c:\windows\assembly\GAC_64\Desktop.ini

no longer show up as infected. Still no ping.exe being generated and no pop ups. I will check back in the morning to see if perhaps you see something amiss, whihc I am hopeful that you don't heh

Thank you very much for you help again.

Link to post
Share on other sites

The computer seems to be running fine, nothing unusual that I have noticed. Thanks again for all of your help. Here is the MABAM log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.18.07

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

XXXX:: XXXX-PC [administrator]

5/18/2012 2:42:14 PM

mbam-log-2012-05-18 (14-42-14).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 205646

Time elapsed: 2 minute(s),

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Good.....a little cleanup to do......

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

-------------------------------

You have out date Java on the system, older versions are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall these:

Java Auto Updater

Java™ 6 Update 26

Then download and install the latest version Java™ 7 Update 4.

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.