Jump to content

Recommended Posts

Merged two post

We look for post with 0 replies, so when you replied to your own topic, we assume you were being helped.

Do Not bump your topic.

I have a user who is still suffering from Google redirects.

MWB comes up clean, Trend Micro WFB reports no infections, SAS comes up clean, TDSS Killer comes up clean, MBR Check came up clean, et cetera, et cetera. HitmanPro intially reported some ZeroAccess stuff which it allegedly removed.

Combofix does not delete any files. Yes, I know I'm not supposed to run Combofix without being asked to. Hopefully you all will anoint me for my sins. I just need a resolution. I'm at IT Professional (or at least I play one on TV), and I have a disk image backup prior to trying anything.

After running all of these tools, and straight from reboot, the System Idle Process starts jabbering out to random locations on the Internet. I know this from running Netstat. I thought that was strange. It's a Windows 7 Pro machine as you'll tell, as well is mine. My System Idle Process does not show any connections out to the Internet.

Here's the Combofix Log

ComboFix 12-06-26.02 - jeanne 06/27/2012 11:27:29.4.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2035.974 [GMT -4:00]

Running from: c:\users\jeanne\Desktop\ComboFix.exe

AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

FW: Trend Micro Personal Firewall *Disabled* {50C2E989-60CF-0845-AFD3-290B7D301E79}

SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 )))))))))))))))))))))))))))))))

.

.

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\SMS\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\administrator\AppData\Local\temp

2012-06-27 15:34 . 2012-06-27 15:34 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\temp

2012-06-27 15:02 . 2012-06-27 15:02 -------- d-----w- c:\users\jeanne\AppData\Roaming\SUPERAntiSpyware.com

2012-06-27 15:01 . 2012-06-27 15:02 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-06-27 15:01 . 2012-06-27 15:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-06-27 14:43 . 2012-06-27 14:43 12872 ----a-w- c:\windows\system32\bootdelete.exe

2012-06-25 12:17 . 2012-06-25 12:17 -------- d-----w- c:\users\jeanne\AppData\Local\Macromedia

2012-06-22 21:00 . 2012-06-22 21:00 -------- d-----w- c:\program files (x86)\Dell Digital Delivery

2012-06-21 12:24 . 2012-06-21 12:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-21 12:24 . 2012-06-21 12:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-19 16:35 . 2012-06-19 16:35 -------- d-----w- c:\users\DefaultAppPool

2012-06-18 00:41 . 2012-06-18 00:41 -------- d-----w- c:\windows\system32\log

2012-06-18 00:40 . 2012-06-18 00:41 -------- d-----w- c:\program files (x86)\Trend Micro

2012-06-13 07:04 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 07:04 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 07:04 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 07:01 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-06-13 07:01 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-06-13 07:01 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-06-13 07:01 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 07:01 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-03 21:27 . 2012-06-03 21:27 -------- d-----w- c:\users\jeanne\AppData\Local\Apple

2012-06-01 19:27 . 2012-06-27 14:44 -------- d-----w- c:\programdata\HitmanPro

2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Mozilla

2012-06-01 17:46 . 2012-06-27 15:37 -------- d-----w- c:\users\jeanne\AppData\Local\temp

2012-05-31 16:21 . 2012-05-31 16:21 -------- d-----w- c:\users\jeanne\AppData\Roaming\Malwarebytes

2012-05-31 13:00 . 2012-05-31 13:00 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Malwarebytes

2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-31 12:59 . 2012-05-31 12:59 -------- d-----w- c:\programdata\Malwarebytes

2012-05-31 12:59 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-31 12:31 . 2012-05-31 12:31 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Roxio Burn

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\ICAClient

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Roaming\Hewlett-Packard Company

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\Citrix

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26}

2012-05-31 12:08 . 2012-05-31 12:08 -------- d-----w- c:\users\Administrator.SMSPC16\AppData\Local\LogMeIn

2012-05-30 17:45 . 2012-05-30 17:45 -------- d-----w- c:\users\jeanne\AppData\Local\{2D5CE1D8-AA7F-11E1-8270-B8AC6F996F26}

2012-05-30 17:38 . 2012-05-30 17:38 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-05-30 17:35 . 2012-05-31 16:27 -------- d-----w- c:\program files (x86)\Common Files\Outlook

2012-05-30 17:34 . 2012-05-31 11:52 -------- d-----w- c:\users\jeanne\AppData\Roaming\Ifysi

2012-05-30 17:34 . 2012-05-30 17:44 -------- d-----w- c:\users\jeanne\AppData\Roaming\Elor

2012-05-30 17:34 . 2012-05-30 17:34 -------- d-----w- c:\users\jeanne\AppData\Roaming\Akpuor

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-23 15:20 . 2012-04-04 19:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-23 15:20 . 2012-03-28 15:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-23 15:20 . 2012-04-13 20:20 9815752 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-05-22 15:52 . 2012-05-22 15:52 608 --sha-w- c:\windows\system32\winzvprt5.sys

2012-05-22 12:13 . 2012-04-22 18:23 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-05-22 12:13 . 2012-04-22 18:23 34688 ----a-w- c:\windows\system32\LMIport.dll

2012-05-22 12:13 . 2012-04-22 18:23 80768 ----a-w- c:\windows\system32\LMIinit.dll

2012-05-08 17:02 . 2012-05-30 03:04 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310DB10C-D086-496B-86CD-

8E51A4A25BE9}\mpengine.dll

2012-04-04 16:39 . 2010-06-24 16:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-03-30 11:35 . 2012-05-09 07:00 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AutomatedTaskLauncher"="c:\program files (x86)\Comdata\Shared\Applications\CDAtl.exe" [2004-06-01 77824]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-26 4787072]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-04-05 371864]

"ToolboxFX"="c:\program files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]

"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2012-01-09 1712656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3699739257-3343509579-3915199227-500\Scripts\Logon\0\0]

"Script"=LaunchNotificationUI.cmd

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-12-20 1691848]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]

R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]

R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-21 113120]

R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-04 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2012-02-14 93272]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]

S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-06-19 173056]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2010-10-25 145920]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-05-22 375176]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928]

S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

S2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [2012-05-14

50704]

S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2011-07-12 342288]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2011-07-12 42768]

S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppdbulkio.sys [2010-12-14 22040]

S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppdfaxio.sys [2010-12-14 23576]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]

S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2012-04-27 918032]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 15:20]

.

2012-05-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]

.

2012-06-26 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2011-12-14 04:09]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328]

"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]

"HP LaserJet Professional M1530 MFP Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2010-08-24 3706424]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.foxnews.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

Trusted Zone: iconnectdata.com\w6

Trusted Zone: vospro.net\go

TCP: DhcpNameServer = 192.168.0.2

FF - ProfilePath - c:\users\jeanne\AppData\Roaming\Mozilla\Firefox\Profiles\ar10f2xn.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/|http://www.drudgereport.com/|http://www.msn.com/

FF - prefs.js: network.proxy.type - 0

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe

c:\program files (x86)\Citrix\ICA Client\Receiver\Receiver.exe

c:\program files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe

c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe

c:\program files (x86)\Citrix\SelfServicePlugin\SelfService.exe

.

**************************************************************************

.

Completion time: 2012-06-27 11:42:45 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-27 15:42

ComboFix2.txt 2012-06-01 17:46

.

Pre-Run: 419,192,397,824 bytes free

Post-Run: 419,038,064,640 bytes free

.

Here's the Netstat Log:

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:7 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:9 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:13 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:17 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:19 SMSPC16:0 LISTENING 2516

TCP 0.0.0.0:80 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:135 SMSPC16:0 LISTENING 772

TCP 0.0.0.0:445 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:515 SMSPC16:0 LISTENING 1548

TCP 0.0.0.0:2002 SMSPC16:0 LISTENING 2036

TCP 0.0.0.0:3389 SMSPC16:0 LISTENING 1084

TCP 0.0.0.0:5357 SMSPC16:0 LISTENING 4

TCP 0.0.0.0:49152 SMSPC16:0 LISTENING 432

TCP 0.0.0.0:49153 SMSPC16:0 LISTENING 856

TCP 0.0.0.0:49154 SMSPC16:0 LISTENING 948

TCP 0.0.0.0:49187 SMSPC16:0 LISTENING 508

TCP 0.0.0.0:49197 SMSPC16:0 LISTENING 492

TCP 0.0.0.0:61116 SMSPC16:0 LISTENING 1240

TCP 127.0.0.1:2002 SMSPC16:49246 ESTABLISHED 2036

TCP 127.0.0.1:6999 SMSPC16:0 LISTENING 2616

TCP 127.0.0.1:6999 SMSPC16:49346 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49349 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49350 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49351 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49353 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49354 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49355 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49364 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49367 TIME_WAIT 0

TCP 127.0.0.1:6999 SMSPC16:49372 TIME_WAIT 0

TCP 127.0.0.1:21112 SMSPC16:0 LISTENING 2868

TCP 127.0.0.1:49246 SMSPC16:2002 ESTABLISHED 4392

TCP 127.0.0.1:49361 SMSPC16:6999 TIME_WAIT 0

TCP 127.0.0.1:49369 SMSPC16:6999 TIME_WAIT 0

TCP 192.168.0.127:139 SMSPC16:0 LISTENING 4

TCP 192.168.0.127:49191 smssrvr:ldap ESTABLISHED 316

TCP 192.168.0.127:49210 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49211 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49213 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49214 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49219 smssrvr:microsoft-ds ESTABLISHED 4

TCP 192.168.0.127:49229 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49244 smssrvr:6012 ESTABLISHED 1332

TCP 192.168.0.127:49274 smssrvr:6012 ESTABLISHED 1332

TCP 192.168.0.127:49288 a23-64-249-83:https ESTABLISHED 2152

TCP 192.168.0.127:49292 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49317 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49320 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49327 64.74.103.163:https ESTABLISHED 2036

TCP 192.168.0.127:49334 network-098-027-088-048:http TIME_WAIT 0

TCP 192.168.0.127:49341 65.55.53.190:http TIME_WAIT 0

TCP 192.168.0.127:49342 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49348 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49362 216.35.15.168:http TIME_WAIT 0

TCP 192.168.0.127:49363 network-098-027-088-030:http TIME_WAIT 0

TCP 192.168.0.127:49370 iad23s06-in-f1:http TIME_WAIT 0

TCP 192.168.0.127:49371 network-098-027-088-030:http TIME_WAIT 0

TCP [::]:7 SMSPC16:0 LISTENING 2516

TCP [::]:9 SMSPC16:0 LISTENING 2516

TCP [::]:13 SMSPC16:0 LISTENING 2516

TCP [::]:17 SMSPC16:0 LISTENING 2516

TCP [::]:19 SMSPC16:0 LISTENING 2516

TCP [::]:80 SMSPC16:0 LISTENING 4

TCP [::]:135 SMSPC16:0 LISTENING 772

TCP [::]:445 SMSPC16:0 LISTENING 4

TCP [::]:515 SMSPC16:0 LISTENING 1548

TCP [::]:3389 SMSPC16:0 LISTENING 1084

TCP [::]:5357 SMSPC16:0 LISTENING 4

TCP [::]:49152 SMSPC16:0 LISTENING 432

TCP [::]:49153 SMSPC16:0 LISTENING 856

TCP [::]:49154 SMSPC16:0 LISTENING 948

TCP [::]:49187 SMSPC16:0 LISTENING 508

TCP [::]:49197 SMSPC16:0 LISTENING 492

UDP 0.0.0.0:7 *:* 2516

UDP 0.0.0.0:9 *:* 2516

UDP 0.0.0.0:13 *:* 2516

UDP 0.0.0.0:17 *:* 2516

UDP 0.0.0.0:19 *:* 2516

UDP 0.0.0.0:123 *:* 328

UDP 0.0.0.0:427 *:* 5848

UDP 0.0.0.0:500 *:* 948

UDP 0.0.0.0:3702 *:* 1812

UDP 0.0.0.0:3702 *:* 1812

UDP 0.0.0.0:4500 *:* 948

UDP 0.0.0.0:5355 *:* 1084

UDP 0.0.0.0:51335 *:* 1812

UDP 0.0.0.0:56305 *:* 1240

UDP 0.0.0.0:61117 *:* 1240

UDP 127.0.0.1:1900 *:* 1812

UDP 127.0.0.1:51265 *:* 316

UDP 127.0.0.1:51709 *:* 3144

UDP 127.0.0.1:53037 *:* 1084

UDP 127.0.0.1:58742 *:* 508

UDP 127.0.0.1:63173 *:* 1812

UDP 192.168.0.127:137 *:* 4

UDP 192.168.0.127:138 *:* 4

UDP 192.168.0.127:427 *:* 5848

UDP 192.168.0.127:1900 *:* 1812

UDP 192.168.0.127:32527 *:* 2036

UDP 192.168.0.127:32528 *:* 2036

UDP 192.168.0.127:63172 *:* 1812

UDP [::]:7 *:* 2516

UDP [::]:9 *:* 2516

UDP [::]:13 *:* 2516

UDP [::]:17 *:* 2516

UDP [::]:19 *:* 2516

UDP [::]:123 *:* 328

UDP [::]:500 *:* 948

UDP [::]:3702 *:* 1812

UDP [::]:3702 *:* 1812

UDP [::]:4500 *:* 948

UDP [::]:5355 *:* 1084

UDP [::]:51336 *:* 1812

UDP [::1]:1900 *:* 1812

UDP [::1]:63171 *:* 1812

UDP [fe80::3473:e559:9252:a169%11]:1900 *:* 1812

UDP [fe80::3473:e559:9252:a169%11]:63170 *:* 1812

bump...

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.