Jump to content

2- Explorer.exe High Mem, High CPU


oddie121
 Share

Recommended Posts

Hi,
I've got a system that keeps running multiple Explorer.exe's (specifically 2). Uses all available Memory and CPU Previously it had some virus's removed from it. I see it creating multiple connections out to the internet (DD-WRT is showing about 1,000-2,000) at times. The computer slows to a crawl. Ending task on the rouge explorer.exe simply pops up after a few min. I've ran combofix, adwcleaner, TDSKiller, System is running AVG Business, Malwarebytes free, Malwarebytes anti-rootkid, and RogueKiller. Temp files were cleared, SFC /scannow ran.  Here is the Farbar report. Also attached additional.txt from Farbar and Combix log after running clearJavaCache. Your assistance in this is appricated :).

 

 

--------------------------FRST.txt------------------------------

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01
Ran by nwitkowski (administrator) on NANCY2 on 25-11-2014 13:39:29
Running from \\server12\support$\Installs\MalwareTools
Loaded Profiles: <DomainUser> &  (Available profiles:<DomainUser> & Administrator & <localUser> & <LocalUser2>)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.wireshark.org)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-260401117-2913636678-2054379164-1175-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\p2pcollab.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-260401117-2913636678-2054379164-1175_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\p2pcollab.dll (Microsoft Corporation)

==================== Restore Points  =========================

18-11-2014 15:25:18 Installed TightVNC
18-11-2014 20:16:55 Dell Updates
18-11-2014 20:26:31 Dell Updates
18-11-2014 23:51:54 Dell Updates
18-11-2014 23:53:12 Installed Realtek Ethernet Controller All-In-One Windows Driver
19-11-2014 00:17:39 Windows Update
20-11-2014 09:00:12 Windows Update
25-11-2014 09:00:11 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:34 - 2014-11-25 12:35 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0C99879C-D5E9-478F-8C83-45F12C4833FA} - System32\Tasks\{49504E78-8FA4-4CB1-9F66-881BF42FB98C} => M:\empire\programs\nempmain.exe [2012-08-20] ()
Task: {528B9845-8D06-4DD8-B3B6-3F4F2D9AB8BF} - System32\Tasks\Amazon Music Helper => C:\Users\nwitkowski\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [2014-01-14] ()
Task: {61852FA1-40F3-42F9-9E4A-3D432C3E6E10} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16] (Google Inc.)
Task: {73321DFF-F02A-4164-A5EC-872ADB640BEA} - \BackgroundContainer Startup Task No Task File <==== ATTENTION
Task: {9FE2D938-1414-416C-B54B-6929668F802E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {A2770A32-7B70-4631-8CD3-E78CC8F327B0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16] (Google Inc.)
Task: {EEDD65B3-8E23-49DA-969F-57AD7287294E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {FA43C149-213A-4E95-98FF-A6361D296301} - System32\Tasks\Dell\Client System Update => C:\Program Files (x86)\Dell\ClientSystemUpdate\DellClientSystemUpdate.exe [2012-10-11] (Dell Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2011-02-18 18:36 - 2011-02-18 18:36 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2010-08-26 16:12 - 2010-08-26 16:12 - 00016384 ____R () c:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 11:16 - 2014-07-31 11:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
MSCONFIG\startupreg: Adobe Acrobat Synchronizer => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Amazon Cloud Player => "C:\Users\nwitkowski\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: DBRMTray => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: PDVD9LanguageShortcut => "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
MSCONFIG\startupreg: RemoteControl9 => "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-3992961909-2664608981-1086464681-500 - Administrator - Disabled)
Guest (S-1-5-21-3992961909-2664608981-1086464681-501 - Limited - Disabled)
<LocalUser> (S-1-5-21-3992961909-2664608981-1086464681-1000 - Administrator - Enabled) => C:\Users\<localuser>
<DomainUser> (S-1-5-21-3992961909-2664608981-1086464681-1001 - Administrator - Enabled) => C:\Users\<domainUser>

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/25/2014 00:44:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/25/2014 00:19:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/25/2014 00:07:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc000041d
Fault offset: 0x0000000000053290
Faulting process id: 0xe24
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (11/25/2014 00:07:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000005
Fault offset: 0x0000000000053290
Faulting process id: 0xe24
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (11/25/2014 11:47:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000374
Fault offset: 0x00000000000c4102
Faulting process id: 0x1be8
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (11/25/2014 10:54:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000374
Fault offset: 0x00000000000c4102
Faulting process id: 0x444
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (11/24/2014 09:56:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 09:37:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 02:19:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 01:47:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (11/25/2014 01:23:09 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 01:20:57 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 00:55:58 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 00:54:00 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 00:45:49 PM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{36CE2412-C11C-4BE8-AAD0-0F7DAA9FFADA}.
The backup browser is stopping.

Error: (11/25/2014 00:44:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (11/25/2014 00:43:44 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (11/25/2014 00:35:50 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 00:35:19 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (11/25/2014 00:33:39 PM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{36CE2412-C11C-4BE8-AAD0-0F7DAA9FFADA}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (11/25/2014 00:44:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/25/2014 00:19:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/25/2014 00:07:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000041d0000000000053290e2401d008d7e848cce5C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dllee2f9800-74cd-11e4-8222-d4bed9bb7972

Error: (11/25/2014 00:07:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c00000050000000000053290e2401d008d7e848cce5C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dlle9d80478-74cd-11e4-8222-d4bed9bb7972

Error: (11/25/2014 11:47:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000037400000000000c41021be801d008d0829935bfC:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dll1797dba5-74cb-11e4-8222-d4bed9bb7972

Error: (11/25/2014 10:54:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Explorer.EXE6.1.7601.175674d672ee4ntdll.dll6.1.7601.18247521eaf24c000037400000000000c410244401d008b77288b240C:\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dllb96de397-74c3-11e4-8222-d4bed9bb7972

Error: (11/24/2014 09:56:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 09:37:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 02:19:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/24/2014 01:47:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-11-25 12:35:19.603
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-11-25 12:35:19.588
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-11-18 09:25:02.318
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-29 00:07:53.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 23:59:00.592
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 23:34:50.077
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 23:25:02.989
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 23:16:47.421
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 23:06:02.116
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-28 22:25:16.398
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® CPU G850 @ 2.90GHz
Percentage of memory in use: 41%
Total physical RAM: 4069.06 MB
Available physical RAM: 2391.34 MB
Total Pagefile: 8136.3 MB
Available Pagefile: 5953.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:220.59 GB) (Free:159.43 GB) NTFS
Drive m: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS
Drive s: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS
Drive t: (DATAPART1) (Network) (Total:847.46 GB) (Free:692.82 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 95A2D1A7)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=220.6 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

----------------------End Additonal.txt-------------------------------

 

----------------------Combofix.txt----------------------------------

ComboFix 14-11-25.01 - nwitkowski 11/25/2014  13:16:32.3.2 - x64
Running from: c:\users\nwitkowski\Downloads\ComboFix.exe
Command switches used :: c:\users\nwitkowski\Downloads\CFScript.txt
AV: AVG Internet Security Business Edition *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Internet Security Business Edition *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-25 to 2014-11-25  )))))))))))))))))))))))))))))))
.
.
2014-11-25 19:23 . 2014-11-25 19:23    --------    d-----w-    c:\users\<DomainUser>\AppData\Local\temp
2014-11-25 19:23 . 2014-11-25 19:23    --------    d-----w-    c:\users\<localuser>\AppData\Local\temp
2014-11-25 19:23 . 2014-11-25 19:23    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-11-25 19:23 . 2014-11-25 19:23    --------    d-----w-    c:\users\administrator\AppData\Local\temp
2014-11-25 03:33 . 2014-11-25 03:32    4184008    ----a-w-    C:\TDSSKiller.exe
2014-11-24 20:28 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\SysWow64\DWrite.dll
2014-11-24 20:28 . 2013-04-02 22:51    1643520    ----a-w-    c:\windows\system32\DWrite.dll
2014-11-19 17:22 . 2014-11-19 17:22    --------    d-----w-    c:\users\nwitkowski\AppData\Roaming\Wireshark
2014-11-19 17:19 . 2014-11-19 17:19    --------    d-----w-    c:\program files (x86)\WinPcap
2014-11-19 17:18 . 2014-11-19 17:19    --------    d-----w-    c:\program files\Wireshark
2014-11-19 00:17 . 2014-11-11 03:08    241152    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-19 00:17 . 2014-11-11 03:08    728064    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-19 00:17 . 2014-11-11 02:44    186880    ----a-w-    c:\windows\SysWow64\pku2u.dll
2014-11-19 00:17 . 2014-11-11 02:44    550912    ----a-w-    c:\windows\SysWow64\kerberos.dll
2014-11-18 23:53 . 2012-07-16 23:28    74344    ----a-w-    c:\windows\system32\RtNicProp64.dll
2014-11-18 23:53 . 2012-07-16 23:28    685672    ----a-w-    c:\windows\system32\drivers\Rt64win7.sys
2014-11-18 23:53 . 2014-11-18 23:53    --------    d-----w-    c:\program files (x86)\Realtek
2014-11-18 23:52 . 2011-09-22 06:19    56600    ----a-w-    c:\windows\system32\drivers\HECIx64.sys
2014-11-18 20:34 . 2014-11-18 20:34    --------    d-----w-    c:\windows\{69093D49-3DD1-4FB5-A378-0D4DB4CF86EA}
2014-11-18 20:17 . 2011-04-16 12:00    53248    ----a-w-    c:\windows\SysWow64\CSVer.dll
2014-11-18 19:34 . 2014-11-18 19:34    0    ----a-w-    c:\windows\invcol.tmp
2014-11-18 19:33 . 2014-11-18 20:17    --------    d-----w-    c:\users\<Domainuser>\AppData\Local\Dell
2014-11-18 15:25 . 2014-11-18 15:25    --------    d-----w-    c:\program files\TightVNC
2014-11-18 15:25 . 2014-11-18 15:25    --------    d-----w-    c:\programdata\TightVNC
2014-11-12 13:19 . 2014-11-12 13:19    --------    d-sh--w-    c:\users\nwitkowski\AppData\Local\EmieBrowserModeList
2014-11-12 02:42 . 2014-11-05 17:56    304640    ----a-w-    c:\windows\system32\generaltel.dll
2014-11-12 02:42 . 2014-11-05 17:56    228864    ----a-w-    c:\windows\system32\aepdu.dll
2014-11-12 02:42 . 2014-11-05 17:52    424448    ----a-w-    c:\windows\system32\aeinv.dll
2014-11-12 02:42 . 2014-10-14 02:16    155064    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-11-12 02:42 . 2014-10-14 02:13    683520    ----a-w-    c:\windows\system32\termsrv.dll
2014-11-12 02:42 . 2014-10-14 02:12    1460736    ----a-w-    c:\windows\system32\lsasrv.dll
2014-11-12 02:42 . 2014-10-14 02:09    146432    ----a-w-    c:\windows\system32\msaudite.dll
2014-11-12 02:42 . 2014-10-14 02:07    681984    ----a-w-    c:\windows\system32\adtschema.dll
2014-11-12 02:42 . 2014-10-14 01:50    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2014-11-12 02:42 . 2014-10-14 01:49    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2014-11-12 02:42 . 2014-10-14 01:47    146432    ----a-w-    c:\windows\SysWow64\msaudite.dll
2014-11-12 02:42 . 2014-10-14 01:46    681984    ----a-w-    c:\windows\SysWow64\adtschema.dll
2014-11-12 02:40 . 2014-08-21 06:43    1882624    ----a-w-    c:\windows\system32\msxml3.dll
2014-11-10 15:32 . 2014-11-10 15:32    --------    d-----w-    c:\users\<DomainUser>\AppData\Roaming\ImageRight
2014-11-10 15:06 . 2014-11-25 18:07    --------    d-----w-    c:\users\<DomainUser>\AppData\Local\CrashDumps
2014-11-10 13:51 . 2014-11-10 13:51    --------    d-----w-    c:\users\<DomainUser>\AppData\Local\Vertafore,_Inc
2014-11-07 23:16 . 2014-11-07 23:16    --------    d-----w-    c:\program files (x86)\Common Files\BCL Technologies
2014-11-07 23:16 . 2014-11-07 23:31    --------    d-----w-    c:\program files (x86)\ImageRight
2014-11-07 23:16 . 2014-11-07 23:16    --------    d-----w-    c:\program files\Common Files\BCL Technologies
2014-11-07 20:02 . 2014-11-07 23:15    --------    d-----w-    c:\program files (x86)\Belarc
2014-11-04 06:30 . 2014-11-04 06:30    209720    ----a-w-    c:\windows\system32\drivers\avgldx64.sys
2014-10-29 04:37 . 2014-10-29 04:42    --------    d-----w-    C:\AdwCleaner
2014-10-29 04:24 . 2014-10-29 04:24    37624    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-10-29 04:24 . 2014-10-29 04:24    --------    d-----w-    c:\programdata\RogueKiller
2014-10-29 02:08 . 2014-11-25 18:11    129752    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 02:07 . 2014-10-01 16:11    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-10-29 02:07 . 2014-10-01 16:11    93400    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 02:07 . 2014-10-01 16:11    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-10-29 02:07 . 2014-10-29 02:07    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-12 09:02 . 2012-02-24 19:16    103374192    ----a-w-    c:\windows\system32\MRT.exe
2014-10-17 21:34 . 2014-10-17 21:34    240952    ----a-w-    c:\windows\system32\drivers\avgtdia.sys
2014-09-25 02:08 . 2014-10-01 10:12    371712    ----a-w-    c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 10:12    519680    ----a-w-    c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-23 22:04    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-23 22:04    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2014-09-05 02:11 . 2014-10-15 12:30    6584320    ----a-w-    c:\windows\system32\mstscax.dll
2014-09-05 01:52 . 2014-10-15 12:30    5703168    ----a-w-    c:\windows\SysWow64\mstscax.dll
2014-09-04 12:51 . 2014-09-04 12:51    55872    ----a-w-    c:\windows\system32\AdobePDF.dll
2014-09-04 12:50 . 2014-09-04 12:50    27208    ----a-w-    c:\windows\system32\AdobePDFUI.dll
2014-09-04 05:23 . 2014-10-15 12:31    424448    ----a-w-    c:\windows\system32\rastls.dll
2014-09-04 05:04 . 2014-10-15 12:31    372736    ----a-w-    c:\windows\SysWow64\rastls.dll
2014-09-03 13:58 . 2010-06-24 17:33    23256    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-29 02:07 . 2014-10-15 12:31    3179520    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-08-28 19:49 . 2014-08-28 19:49    699568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-28 19:49 . 2012-02-17 04:03    71344    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-19 336384]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2014-11-04 4411952]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 bepldr7ImageRightService;ImageRight easyPDF SDK 7 Loader;c:\program files\Common Files\BCL Technologies\ImageRight7\bepldr.exe;c:\program files\Common Files\BCL Technologies\ImageRight7\bepldr.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x]
R3 PEERNET Spooler Service;PEERNET Spooler Service;c:\windows\system32\spool\DRIVERS\x64\3\PNSvc8.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\PNSvc8.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe;c:\windows\SysWOW64\atashost.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 psqlCE;Pervasive PSQL Client Engine;c:\pvsw\bin\w3dbsmgr.exe;c:\pvsw\bin\w3dbsmgr.exe [x]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe;c:\program files\TightVNC\tvnserver.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-18 20:13    1087304    ----a-w-    c:\program files (x86)\Google\Chrome\Application\39.0.2171.65\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16 20:23]
.
2014-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-16 20:23]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2013-07-19 2179056]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/webhp?hl=en&tab=ww
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: atlanticcasualty.com
Trusted Zone: atlanticcasualty.net\aces
Trusted Zone: capitolindemnity.com\aqs
TCP: DhcpNameServer = 192.192.6.8 192.192.6.5 8.8.8.8
DPF: {D5375A5A-D55D-401F-8B12-EEA52FDBE2BE} - hxxps://co3.capitolindemnity.com/ocx/WydeWeb.cab
DPF: {E501A333-172D-429E-B759-BDE2781FA742} - hxxps://co3.capitolindemnity.com/wynsureprod/ocx/WydeWeb.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_176_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_176.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-25  13:25:21
ComboFix-quarantined-files.txt  2014-11-25 19:25
ComboFix2.txt  2014-11-25 18:57
ComboFix3.txt  2014-11-25 18:38
.
Pre-Run: 171,255,943,168 bytes free
Post-Run: 171,183,190,016 bytes free
.
- - End Of File - - 1551E47E2D4BD09B52709714CC4522E7
5C616939100B85E558DA92B899A0FC36

-----------------------------End Combofix.txt--------------------------------------

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"

 

 

 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

Do you have explorer.exe problem in all user accounts?
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

TDSSKiller_Kaspersky.png Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png
  • icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Click the Start Scan button and wait patiently.
  • If anything will be found follow this guidelines:
    • If a suspicious object is detected, the default action will be Skip, click on Continue.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      If Cure is not available, please choose Skip instead.
    • Do not choose Delete unless instructed!
    A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

 

 

 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

TwinHeadedEagle, I appricate that the tools all state its clean but i don't believe it is. As you can see from the attached picture / capture the additional expolrer.exe is from the same user name. No other users were logged in nor was i remoted to the system. As well, to do TDSKiller's module i had to reboot and the screen capture was done as soon as TDSKiller was done running. There's still a high connection amount out to the internet which leads me to believe something else is running the system up. The user even states it can run very slow at times, which i've seen, and other times runs correctly. As in my previous post with the netstat, it shows connections via http going to an address that when doing a who is shows up as a known site for malware. https://www.virustotal.com/en/ip-address/209.15.224.6/information/ .

Is there something else, other than the normal toolset, that can be run to see where all the connections are coming from or explorer.exe is using all the memory to? Or a tool that can relate the IPAddresses in use to a virus?

Link to post
Share on other sites

Alright, I believe i found the malware and got it resolved.

This article helped point me in the correct direction - http://www.solutionary.com/resource-center/blog/2012/12/hunting-malware-with-memory-analysis/

After searching on Shylock Trojan an article pointed me to Norton Power Ereaser https://security.symantec.com/nbrt/npe.aspx?lcid=1033or Microsoft Security Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx

After running Norton Power Ereaser it found p2pcollab.dll to be malware and not in the correct location. I found it to not be in the correct loction upon doing searches for the file location on a known good machine and google.

post-178753-0-15704800-1417805367_thumb.

I did have to uncheck a bunch of the files above that were known "good" files. They were apart of a business program. I did this by clicking on each name under "risk" and reviewing the file location and what it thought the threat was. I left the AVG ones to remove as they were in the temp location and didn't seem to be doing any harm. Unpon the removal it stated that it failed to remove the p2pcollab.dll but upon inspecting further it simply failed to remove a couple of entries after the reboot.

Its now been running for a hour without starting additional (mulitple) explorer.exe. I've also reviewed Netstat and this is clean as well with no radom or rogue http connections. nestat2.txt

 

I'll watch it further and report back if it came back. However by now it would have already appeared.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.