Jump to content

Babylon + lsass infected

z270

By z270
in Resolved Malware Removal Logs

 Share

Recommended Posts

z270

z270

Posted
Posted

Hi there,

Last night I accidentally installed the babylon tool bar and it brought with something called browser manager that started to mess up my computer. I couldnt use the process manager and my antivirus and IP blocker both stopped run (ESET and PeerBlock). Previously, lsass.exe was also infected, though I didn't know about that until after the babylon incident (I ran combofix and it found it, but couldn't fix it). I have my drive set into two partitions, one for the OS and another for personal files. I didn't have time to try to fix the OS so I simply reinstalled windows (deleted the old OS partition/formated it from the windows 7 install disk, which I don't think actually erases the data, simply marks the clusters as free?). I just want to make sure there arent any traces of the old malware carrying over somehow (perhaps from files on my other partition). I installed both Malwarebytes and superantispyware and ran them both without finding anything. Perhaps I'm a bit anal but I thought Id ask you guys if there is anything else I can do to check.

Cheers and thank you!

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Arya at 13:36:32 on 2012-09-18

Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.4095.2408 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\wbengine.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\vds.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit=userinit.exe

mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{82B35ED5-47FC-4DFB-80A9-35C138FEECDB} : DhcpNameServer = 192.168.1.1

mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Arya\AppData\Roaming\Mozilla\Firefox\Profiles\2i8bwflo.default\

.

============= SERVICES / DRIVERS ===============

.

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-09-18 16:56:50 971624 ----a-w- C:\Windows\System32\nvumdshimx.dll

2012-09-18 16:55:20 -------- d-----w- C:\Program Files\NVIDIA Corporation

2012-09-18 16:54:58 -------- d-----w- C:\NVIDIA

2012-09-18 08:18:03 -------- d-----w- C:\Windows\Panther

2012-09-18 06:30:27 1135104 ----a-w- C:\Windows\System32\FntCache.dll

2012-09-18 06:30:25 -------- d-----w- C:\Users\Arya\AppData\Roaming\Malwarebytes

2012-09-18 06:30:18 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-18 06:23:42 -------- d-----w- C:\Windows\SysWow64\Wat

2012-09-18 06:23:42 -------- d-----w- C:\Windows\System32\Wat

2012-09-18 05:54:48 367104 ----a-w- C:\Windows\System32\wcncsvc.dll

2012-09-18 05:54:47 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll

2012-09-18 05:35:41 311808 ----a-w- C:\Windows\System32\msv1_0.dll

2012-09-18 05:35:41 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll

2012-09-18 05:23:23 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys

2012-09-18 05:18:00 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll

2012-09-18 05:18:00 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll

2012-09-18 05:18:00 48960 ----a-w- C:\Windows\System32\netfxperf.dll

2012-09-18 05:18:00 444752 ----a-w- C:\Windows\System32\mscoree.dll

2012-09-18 05:18:00 320352 ----a-w- C:\Windows\System32\PresentationHost.exe

2012-09-18 05:18:00 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll

2012-09-18 05:18:00 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe

2012-09-18 05:18:00 1942856 ----a-w- C:\Windows\System32\dfshim.dll

2012-09-18 05:18:00 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll

2012-09-18 05:18:00 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll

2012-09-18 05:12:48 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2012-09-18 05:03:10 80896 ----a-w- C:\Windows\System32\imagehlp.dll

2012-09-18 05:03:10 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-09-18 05:03:10 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-09-18 05:03:10 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-09-18 05:03:10 220672 ----a-w- C:\Windows\System32\wintrust.dll

2012-09-18 05:03:10 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-09-18 05:03:10 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-09-18 05:01:29 243712 ----a-w- C:\Windows\System32\drivers\ks.sys

2012-09-18 04:59:59 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll

2012-09-18 04:58:59 223448 ----a-w- C:\Windows\System32\drivers\fvevol.sys

2012-09-18 04:57:59 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys

2012-09-18 04:57:59 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll

2012-09-18 04:57:59 634368 ----a-w- C:\Windows\System32\msvcrt.dll

2012-09-18 04:57:58 112000 ----a-w- C:\Windows\System32\consent.exe

2012-09-18 04:51:26 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2012-09-18 04:51:26 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2012-09-18 04:51:08 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe

2012-09-18 04:51:08 31232 ----a-w- C:\Windows\System32\prevhost.exe

2012-09-18 04:51:05 1739160 ----a-w- C:\Windows\System32\ntdll.dll

2012-09-18 04:51:05 1292592 ----a-w- C:\Windows\SysWow64\ntdll.dll

2012-09-18 04:51:00 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-09-18 04:51:00 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-18 04:49:39 9728 ----a-w- C:\Windows\SysWow64\sscore.dll

2012-09-18 04:49:39 236032 ----a-w- C:\Windows\System32\srvsvc.dll

2012-09-18 04:47:55 77312 ----a-w- C:\Windows\System32\packager.dll

2012-09-18 04:47:55 67072 ----a-w- C:\Windows\SysWow64\packager.dll

2012-09-18 04:45:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-09-18 04:45:16 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-09-18 04:45:11 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-09-18 04:45:11 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-09-18 04:38:53 315904 ----a-w- C:\Windows\SysWow64\Difxf8ee.rra

2012-09-18 04:38:53 1976920 ------w- C:\Windows\SysWow64\xRaidSetup.exe

2012-09-18 04:38:53 162392 ------w- C:\Windows\SysWow64\xRaidAPI.dll

2012-09-18 04:38:48 -------- d-----w- C:\Windows\RaidTool

2012-09-18 04:38:31 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll

2012-09-18 04:38:31 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll

2012-09-18 04:38:31 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe

2012-09-18 04:38:31 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe

2012-09-18 04:38:31 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll

2012-09-18 04:38:31 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll

2012-09-18 04:38:30 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

2012-09-18 04:38:30 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll

2012-09-18 04:27:18 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll

2012-09-18 04:27:11 -------- d-----w- C:\Intel

.

==================== Find3M ====================

.

2012-08-30 19:14:00 9066344 ----a-w- C:\Windows\System32\nvcuda.dll

2012-08-30 16:18:05 891240 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-08-30 16:18:05 63336 ----a-w- C:\Windows\System32\nvshext.dll

2012-08-30 16:18:05 118120 ----a-w- C:\Windows\System32\nvmctray.dll

2012-08-30 16:18:04 3487434 ----a-w- C:\Windows\System32\nvcoproc.bin

2012-08-30 16:18:01 3266920 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-08-30 16:17:59 6198120 ----a-w- C:\Windows\System32\nvcpl.dll

2012-08-02 17:55:04 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-08-02 17:05:42 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-07-18 17:31:12 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-07-04 22:01:38 58880 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:01:38 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:23:55 41472 ----a-w- C:\Windows\SysWow64\browcli.dll

.

============= FINISH: 13:36:48.19 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 18/09/2012 12:25:03 AM

System Uptime: 18/09/2012 12:58:42 PM (1 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P5K

Processor: Intel® Core2 Quad CPU Q9450 @ 2.66GHz | LGA775 | 2664/333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 58 GiB total, 37.445 GiB free.

D: is FIXED (NTFS) - 407 GiB total, 91.743 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Multimedia Audio Controller

Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1542FBD&0&10F0

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_1102&DEV_0007&SUBSYS_10131102&REV_00\4&1542FBD&0&10F0

Service:

.

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Standard PS/2 Keyboard

Device ID: ACPI\PNP0303\4&20D7719E&0

Manufacturer: (Standard keyboards)

Name: Standard PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&20D7719E&0

Service: i8042prt

.

Class GUID:

Description: USB Camera-B4.04.27.1

Device ID: USB\VID_1415&PID_2000&MI_00\6&237E75F4&0&0000

Manufacturer:

Name: USB Camera-B4.04.27.1

PNP Device ID: USB\VID_1415&PID_2000&MI_00\6&237E75F4&0&0000

Service:

.

==== System Restore Points ===================

.

RP1: 18/09/2012 12:38:40 AM - Installed JMicron JMB36X Driver

RP2: 18/09/2012 12:45:01 AM - Windows Update

RP3: 18/09/2012 12:58:13 AM - Windows Update

RP4: 18/09/2012 1:01:06 AM - Windows Update

RP5: 18/09/2012 2:30:29 AM - Windows Update

.

==== Installed Programs ======================

.

JMicron JMB36X Driver

Mozilla Firefox 15.0.1 (x86 en-US)

NVIDIA PhysX

Realtek High Definition Audio Driver

.

==== Event Viewer Messages From Past Week ========

.

18/09/2012 2:28:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).

18/09/2012 2:28:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2544521).

18/09/2012 2:26:23 AM, Error: Service Control Manager [7023] -

18/09/2012 2:22:07 AM, Error: Service Control Manager [7043] - The Windows Modules Installer service did not shut down properly after receiving a preshutdown control.

.

==== End Of File ===========================

Forgot to note that lsass.exe kept trying to contact with a certain address, though I blocked it with ESET. The times I did let it through, ESET blocked the access anyways as a bad link.

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~

Then....................

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites
z270

z270

Posted
  • Author
Posted

RogueKiller:

RogueKiller V8.0.3 [09/13/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Arya [Admin rights]

Mode : Scan -- Date : 09/18/2012 17:54:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500320AS ATA Device +++++

--- User ---

[MBR] 2affabbd9e10be9ab0a63e758d26d6f4

[bSP] 8e5db028d4964658b6060ac891226926 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 59900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 122882048 | Size: 416938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

AdwCleaner

# AdwCleaner v2.002 - Logfile created 09/18/2012 at 17:54:51

# Updated 16/09/2012 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (64 bits)

# User : Arya - PERSIA

# Boot Mode : Normal

# Running from : C:\Users\Arya\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default

File : C:\Users\Arya\AppData\Roaming\Mozilla\Firefox\Profiles\2i8bwflo.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [689 octets] - [18/09/2012 17:54:51]

########## EOF - C:\AdwCleaner[R1].txt - [748 octets] ##########

Link to post
Share on other sites
z270

z270

Posted
  • Author
Posted

It seems that something I am installing is causing the problem.

Once again I saw that lsass.exe was acting funny so I ran combofix again.

This is the log:

ComboFix 12-09-18.07 - Arya 19/09/2012 20:36:33.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.4095.2690 [GMT -4:00]

Running from: c:\users\Arya\Downloads\Programs\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\Common Files\lsass.exe

c:\users\Arya\AppData\Roaming\lsass.exe

D:\install.exe

.

c:\windows\SysWow64\lsass.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))

.

.

2012-09-19 23:52 . 2012-09-19 23:52 -------- d-----w- c:\program files (x86)\CDisplayEx

2012-09-19 23:37 . 2012-09-19 23:37 560184 ----a-w- c:\windows\system32\drivers\sptd.sys

2012-09-19 23:37 . 2012-09-19 23:37 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite

2012-09-19 23:36 . 2012-09-19 23:36 -------- d-----w- c:\programdata\DAEMON Tools Lite

2012-09-19 23:34 . 2012-09-19 23:34 -------- d-----w- c:\program files (x86)\Internet Download Manager

2012-09-19 23:34 . 2012-09-09 01:45 32256 ---h--w- c:\windows\SysWow64\lsass.exe

2012-09-19 04:38 . 2012-09-19 04:38 -------- d-----w- c:\program files (x86)\FastStone Image Viewer

2012-09-19 04:18 . 2012-09-19 04:19 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2012-09-19 02:04 . 2006-12-08 16:02 251672 ----a-w- c:\windows\SysWow64\xactengine2_5.dll

2012-09-19 01:53 . 2012-09-19 01:53 -------- d-----w- c:\program files (x86)\Common Files\Skype

2012-09-19 01:53 . 2012-09-19 01:53 -------- d-----r- c:\program files (x86)\Skype

2012-09-19 01:53 . 2012-09-19 01:53 -------- d-----w- c:\programdata\Skype

2012-09-19 00:57 . 2012-09-19 00:57 419840 ----a-w- c:\windows\system32\wrap_oal.dll

2012-09-19 00:57 . 2012-09-19 00:57 413696 ----a-w- c:\windows\SysWow64\wrap_oal.dll

2012-09-19 00:57 . 2012-09-19 00:57 133632 ----a-w- c:\windows\system32\OpenAL32.dll

2012-09-19 00:57 . 2012-09-19 00:57 110592 ----a-w- c:\windows\SysWow64\OpenAL32.dll

2012-09-19 00:57 . 2009-04-02 15:33 2873820 ------w- c:\windows\SysWow64\Sens_oal.dll

2012-09-19 00:24 . 2012-09-19 00:24 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-09-19 00:16 . 2012-09-19 00:16 -------- d-----w- c:\program files (x86)\MSXML 4.0

2012-09-19 00:15 . 2012-09-19 00:56 -------- d-----w- c:\program files (x86)\Common Files\Steam

2012-09-19 00:14 . 2012-09-20 00:32 -------- d-----w- c:\program files (x86)\Steam

2012-09-19 00:10 . 2003-06-13 03:25 7062 ----a-w- c:\windows\SysWow64\audiopid.vxd

2012-09-19 00:09 . 2012-09-19 00:09 -------- d-----w- c:\program files (x86)\Common Files\Creative

2012-09-19 00:09 . 2012-09-19 00:58 -------- d--h--w- c:\program files (x86)\Creative Installation Information

2012-09-19 00:09 . 2009-04-02 15:38 1908736 ------w- c:\windows\system32\Sens_oal.dll

2012-09-19 00:08 . 2012-09-19 00:08 -------- d-----w- c:\program files (x86)\Common Files\Creative Labs Shared

2012-09-19 00:08 . 2012-09-19 00:58 -------- d-----w- c:\program files\Creative

2012-09-19 00:07 . 2012-09-19 00:56 -------- d-----w- c:\programdata\Creative

2012-09-19 00:07 . 2009-03-26 18:48 190976 ----a-w- c:\windows\system32\APOMgr64.DLL

2012-09-19 00:07 . 2009-03-26 18:46 148480 ----a-w- c:\windows\SysWow64\APOMngr.DLL

2012-09-19 00:07 . 2009-02-06 22:53 89088 ----a-w- c:\windows\system32\CmdRtr64.DLL

2012-09-19 00:07 . 2009-02-06 22:52 73728 ----a-w- c:\windows\SysWow64\CmdRtr.DLL

2012-09-19 00:06 . 2012-09-19 00:56 -------- d-----w- c:\program files (x86)\Creative

2012-09-19 00:06 . 2005-06-15 15:09 10752 ----a-w- c:\windows\system32\INRES.DLL

2012-09-19 00:06 . 2005-06-15 15:07 11264 ----a-w- c:\windows\SysWow64\INRES.DLL

2012-09-19 00:06 . 2012-09-19 00:06 -------- d-----w- c:\programdata\WEBREG

2012-09-19 00:06 . 2009-07-14 01:41 257024 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpzppw72.dll

2012-09-19 00:04 . 2012-09-19 00:04 -------- d-----w- c:\programdata\HP Product Assistant

2012-09-18 23:42 . 2012-09-18 23:42 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard

2012-09-18 23:42 . 2012-09-18 23:42 -------- d-----w- c:\program files (x86)\Common Files\HP

2012-09-18 23:41 . 2012-09-18 23:43 -------- d-----w- c:\program files (x86)\HP

2012-09-18 23:40 . 2012-09-19 00:06 -------- d-----w- c:\programdata\HP

2012-09-18 23:40 . 2009-07-08 10:51 966656 ----a-w- c:\windows\system32\hposwia_p01a.dll

2012-09-18 23:40 . 2009-07-08 10:51 642360 ----a-w- c:\windows\system32\hpzids40.dll

2012-09-18 23:40 . 2009-07-08 10:51 551424 ----a-w- c:\windows\system32\hppldcoi.dll

2012-09-18 23:40 . 2009-07-08 10:51 512512 ----a-w- c:\windows\system32\hposc_p01a.dll

2012-09-18 23:40 . 2009-07-08 10:51 1411584 ----a-w- c:\windows\system32\hpost_p01a.dll

2012-09-18 23:00 . 2010-11-20 09:03 3584 ----a-w- c:\windows\system32\drivers\en-US\vpchbus.sys.mui

2012-09-18 22:57 . 2012-09-18 22:58 -------- d-----w- c:\program files\Windows XP Mode

2012-09-18 22:44 . 2007-05-07 22:19 85504 ----a-w- c:\windows\SysWow64\DeathAdder64.cpl

2012-09-18 22:44 . 2010-10-01 04:16 13312 ----a-w- c:\windows\system32\drivers\VKbms.sys

2012-09-18 22:44 . 2010-09-30 00:45 6656 ----a-w- c:\windows\system32\drivers\hidkmdf.sys

2012-09-18 22:44 . 2010-03-23 20:37 12032 ----a-w- c:\windows\system32\drivers\danew.sys

2012-09-18 22:44 . 2012-09-18 22:44 -------- d-----w- c:\program files (x86)\Razer

2012-09-18 21:43 . 2012-08-23 00:58 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll

2012-09-18 21:43 . 2012-08-23 00:56 47616 ----a-w- c:\windows\SysWow64\ff_acm.acm

2012-09-18 21:43 . 2012-09-18 21:43 -------- d-----w- c:\program files (x86)\ffdshow

2012-09-18 21:41 . 2012-09-18 21:41 -------- d-----w- c:\program files (x86)\Haali

2012-09-18 21:39 . 2012-09-18 21:39 -------- d-----w- c:\program files (x86)\LAV Filters

2012-09-18 18:46 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-09-18 18:46 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys

2012-09-18 18:45 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-09-18 18:45 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys

2012-09-18 18:45 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2012-09-18 18:45 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll

2012-09-18 18:45 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll

2012-09-18 18:10 . 2012-09-18 18:10 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-18 18:10 . 2012-09-18 18:10 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-18 18:10 . 2012-09-18 18:10 -------- d-----w- c:\windows\SysWow64\Macromed

2012-09-18 18:10 . 2012-09-18 18:10 -------- d-----w- c:\windows\system32\Macromed

2012-09-18 18:08 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{162B6E4E-ED5C-40AC-981A-58443699DF5D}\mpengine.dll

2012-09-18 18:06 . 2012-09-18 18:06 -------- d-----w- c:\windows\system32\SPReview

2012-09-18 18:05 . 2012-09-18 18:05 -------- d-----w- c:\windows\system32\EventProviders

2012-09-18 18:03 . 2010-11-20 13:26 1632256 ----a-w- c:\windows\system32\dwmcore.dll

2012-09-18 18:02 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll

2012-09-18 18:02 . 2010-11-20 12:21 189952 ----a-w- c:\program files (x86)\Windows Portable Devices\sqmapi.dll

2012-09-18 18:02 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll

2012-09-18 18:01 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll

2012-09-18 18:01 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll

2012-09-18 18:01 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll

2012-09-18 17:52 . 2012-09-18 17:52 -------- d-----w- c:\program files\7-Zip

2012-09-18 16:57 . 2012-09-19 23:52 -------- d-sh--w- c:\windows\Installer

2012-09-18 16:57 . 2012-09-18 17:25 -------- d-----w- c:\programdata\NVIDIA

2012-09-18 16:57 . 2012-08-30 16:18 891240 ----a-w- c:\windows\system32\nvvsvc.exe

2012-09-18 16:57 . 2012-08-30 16:18 63336 ----a-w- c:\windows\system32\nvshext.dll

2012-09-18 16:57 . 2012-08-30 16:18 118120 ----a-w- c:\windows\system32\nvmctray.dll

2012-09-18 16:57 . 2012-08-30 16:18 3487434 ----a-w- c:\windows\system32\nvcoproc.bin

2012-09-18 16:57 . 2012-08-30 16:18 3266920 ----a-w- c:\windows\system32\nvsvc64.dll

2012-09-18 16:57 . 2012-08-30 16:17 6198120 ----a-w- c:\windows\system32\nvcpl.dll

2012-09-18 16:57 . 2012-08-30 19:14 60776 ----a-w- c:\windows\system32\OpenCL.dll

2012-09-18 16:57 . 2012-08-30 19:14 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-09-18 16:57 . 2012-09-18 16:57 -------- d-----w- c:\programdata\NVIDIA Corporation

2012-09-18 16:57 . 2012-09-18 17:25 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2012-09-18 16:55 . 2012-09-18 17:25 -------- d-----w- c:\program files\NVIDIA Corporation

2012-09-18 16:54 . 2012-09-18 16:54 -------- d-----w- C:\NVIDIA

2012-09-18 08:18 . 2012-09-18 04:25 -------- d-----w- c:\windows\Panther

2012-09-18 06:30 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll

2012-09-18 06:30 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-09-18 06:30 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-09-18 06:30 . 2012-09-18 06:30 -------- d-----w- c:\programdata\Malwarebytes

2012-09-18 06:23 . 2012-09-18 06:23 -------- d-----w- c:\windows\SysWow64\Wat

2012-09-18 06:23 . 2012-09-18 06:23 -------- d-----w- c:\windows\system32\Wat

2012-09-18 05:12 . 2012-09-18 05:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-09-18 05:06 . 2012-08-31 04:43 64462936 ----a-w- c:\windows\system32\MRT.exe

2012-09-18 05:03 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-09-18 05:03 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll

2012-09-18 05:03 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll

2012-09-18 05:03 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll

2012-09-18 05:03 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-09-18 05:03 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-09-18 05:03 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-09-18 04:59 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll

2012-09-18 04:58 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2012-09-18 04:57 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll

2012-09-18 04:57 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll

2012-09-18 04:57 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys

2012-09-18 04:51 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll

2012-09-18 04:51 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll

2012-09-18 04:51 . 2011-02-18 10:51 31232 ----a-w- c:\windows\system32\prevhost.exe

2012-09-18 04:51 . 2011-02-18 05:39 31232 ----a-w- c:\windows\SysWow64\prevhost.exe

2012-09-18 04:51 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll

2012-09-18 04:51 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll

2012-09-18 04:51 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-18 04:51 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-09-18 04:50 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-18 18:27 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-09-18 18:27 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-09-19 1353080]

"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2012-09-09 3524032]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]

"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]

"P17RunE"="P17RunE.dll" [2008-03-28 14848]

"Microsoft Corporation Search Indexer"="c:\windows\system32\lsass.exe" [2012-09-09 32256]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-09-19 79360]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-11-20 16384]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-18 1255736]

S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]

S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-08-02 158944]

S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [2009-10-13 61440]

S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032]

S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]

@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"

[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]

2012-02-08 00:49 23432 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-03-27 12459112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm

IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm

TCP: DhcpNameServer = 192.168.1.1

DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab

FF - ProfilePath - c:\users\Arya\AppData\Roaming\Mozilla\Firefox\Profiles\kkdqri70.default-1348016445399\

FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-Microsoft Corporation Search Indexer - c:\users\Arya\AppData\Roaming\lsass.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

.

**************************************************************************

.

Completion time: 2012-09-19 20:47:49 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-20 00:47

.

Pre-Run: 23,606,964,224 bytes free

Post-Run: 25,926,258,688 bytes free

.

- - End Of File - - 04F79462920FF685EDF4FB2741C2DEC2

From what I see, lsass.exe was created right before Internet Download Manager, which I think has the trojan. Combofix however screws up my system somehow (puts random folders in places, stops my internet from functioning and starts displaying $RECYCLE.BIN folders in my drives which I am hesitant to delete. So I did a restore point ($RECYCLE.BIN is still there though) and installed malwarebytes. The following two logs are from teh scans:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.20.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Arya :: PERSIA [administrator]

19/09/2012 9:25:20 PM

mbam-log-2012-09-19 (21-25-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 197239

Time elapsed: 1 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Corporation Search Indexer (Trojan.Delf) -> Data: "C:\Users\Arya\AppData\Roaming\lsass.exe" -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Corporation Search Indexer (Trojan.Agent) -> Data: "C:\Windows\system32\lsass.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Users\Arya\AppData\Roaming\lsass.exe (Trojan.Delf) -> Quarantined and deleted successfully.

C:\Users\Arya\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files (x86)\Common Files\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.20.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Arya :: PERSIA [administrator]

19/09/2012 9:28:02 PM

mbam-log-2012-09-19 (21-28-02).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 418491

Time elapsed: 32 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Going to do a quickscan now.

Link to post
Share on other sites
z270

z270

Posted
  • Author
Posted

I uploaded the lsass.exe (C:\Windows\SysWOW64\lsass.exe) to virustotal for a scan: https://www.virustotal.com/file/5733db5597d48b6e0a573e25b856455bb7f5ca17cf06f51bee109a8a0adaf27b/analysis/1348108329/

SHA256: 5733db5597d48b6e0a573e25b856455bb7f5ca17cf06f51bee109a8a0adaf27b SHA1: 3e98503d45b59936493fb795f447eb65efabb62d MD5: ede7875e5237fe99b729ee4ea66885a4 File size: 31.5 KB ( 32256 bytes ) File name: lsass.exe File type: Win32 EXE Detection ratio: 21 / 43 Analysis date: 2012-09-20 02:32:09 UTC ( 0 minutes ago )

0

0

More details Antivirus Result Update Agnitum - 20120919 AhnLab-V3 - 20120919 AntiVir TR/Kazy.90857.2 20120920 Antiy-AVL - 20120911 Avast MSIL:Downloader-GA [Trj] 20120920 AVG Generic29.BAEA 20120920 BitDefender Gen:Variant.Kazy.90857 20120920 ByteHero - 20120919 CAT-QuickHeal - 20120918 ClamAV - 20120919 Commtouch - 20120920 Comodo UnclassifiedMalware 20120920 DrWeb - 20120920 Emsisoft Backdoor.MSIL!IK 20120919 eSafe - 20120919 ESET-NOD32 - 20120919 F-Prot - 20120920 F-Secure Gen:Variant.Kazy.90857 20120920 Fortinet W32/Jorik_Arcdoor.BDA!tr 20120920 GData Gen:Variant.Kazy.90857 20120920 Ikarus Backdoor.MSIL 20120920 Jiangmin - 20120919 K7AntiVirus Trojan 20120919 Kaspersky Trojan.Win32.Jorik.Arcdoor.bda 20120920 Kingsoft - 20120918 McAfee Artemis!EDE7875E5237 20120920 McAfee-GW-Edition Artemis!EDE7875E5237 20120919 Microsoft - 20120920 Norman W32/Suspicious_Gen4.BBZJR 20120918 nProtect - 20120919 Panda Trj/OCJ.A 20120919 PCTools - 20120920 Rising - 20120919 Sophos - 20120920 SUPERAntiSpyware Trojan.Agent/Gen-Falint 20120911 Symantec - 20120920 TheHacker - 20120918 TotalDefense - 20120919 TrendMicro TROJ_SPNR.07II12 20120920 TrendMicro-HouseCall TROJ_SPNR.07II12 20120920 VBA32 Trojan.Jorik.Arcdoor.bda 20120919 VIPRE Trojan.Win32.Generic!BT 20120920 ViRobot - 20120919

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

The file is infected and has to be replaced, CF didn't do that.

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    lsass.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites
z270

z270

Posted
  • Author
Posted

SystemLook 30.07.11 by jpshortstuff

Log created at 22:45 on 19/09/2012 by Arya

Administrator - Elevation successful

========== Filefind ==========

Searching for "lsass.exe"

C:\Windows\System32\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [06:33 17/11/2011] C118A82CD78818C29AB228366EBF81C3

C:\Windows\SysWOW64\lsass.exe ---h--- 32256 bytes [23:34 19/09/2012] [01:45 09/09/2012] EDE7875E5237FE99B729EE4EA66885A4

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.16385_none_023f7c69767c3edd\lsass.exe --a---- 31232 bytes [23:20 13/07/2009] [01:39 14/07/2009] 0793F40B9B8A1BDD266296409DBD91EA

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.16484_none_023e7e05767d22ad\lsass.exe --a---- 31232 bytes [23:20 13/07/2009] [01:39 14/07/2009] 0793F40B9B8A1BDD266296409DBD91EA

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.16915_none_028b374176436a30\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [07:05 17/11/2011] 156F6159457D0AA7E59B62681B56EB90

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_02756f8b7653d554\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [07:05 17/11/2011] 156F6159457D0AA7E59B62681B56EB90

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.20594_none_02bd4ae48fa2de68\lsass.exe --a---- 31232 bytes [23:20 13/07/2009] [01:39 14/07/2009] 0793F40B9B8A1BDD266296409DBD91EA

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.21092_none_02bb2a0a8fa4d398\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [06:42 17/11/2011] D21BD47E528CD62E79311FB5DF0150E6

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.21225_none_0309de288f695654\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [05:30 02/06/2012] BF63CE11A25F3509129888710D5111FC

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\lsass.exe --a---- 31232 bytes [23:20 13/07/2009] [01:39 14/07/2009] 0793F40B9B8A1BDD266296409DBD91EA

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17725_none_0466c45b7371f20d\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [06:33 17/11/2011] C118A82CD78818C29AB228366EBF81C3

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_044756c773895c5e\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [06:33 17/11/2011] C118A82CD78818C29AB228366EBF81C3

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.21861_none_04c1204e8cb39c3f\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [06:20 17/11/2011] 0A10B74FBB437FF9A23F1D5DE4446A83

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.22010_none_04f609a88c8c279c\lsass.exe --a---- 31232 bytes [05:00 18/09/2012] [07:51 04/06/2012] 79C908CAA6F43021EB05F4C733A927D1

-= EOF =-

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::

C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.22010_none_04f609a88c8c279c\lsass.exe | C:\Windows\SysWOW64\lsass.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC (gone for tonight be back in am)

Link to post
Share on other sites
z270

z270

Posted
  • Author
Posted

Hey, I did what you asked. But once again Combofix stopped my interent from functioning (I tried uninstalling my network driver and whatever I could find on google, via phone; nothing worked) and messed around with my settings once again. I just went ahead and reformatted again :/ since I know what was causing hte infection, hopefully this time everything will be fine. Sorry for the trouble and thanks!

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.