Author Topic: Trojan.Ransom (Read 5390 times)

brandon1 · « **on:** November 19, 2012, 06:27:16 AM »

Hello,

I am running Windows 7on an HP computer. Friday, I had an issue where I clicked a website and control of my computer was lost to an FBI hijack virus that showed the entire screen as a message and demanded a $200 ransom. I was able to start the computer in safe mode and get malwarebytes installed, run a scan, and regain access to my computer via normal startup (log below). After reading this post, http://www.computerhope.com/forum/index.php?topic=133003.0, I ran combofix (log below). Now IE8 and most programs have to be run as administrator and I am getting the error "C:\program files\internet explorer\iexplorer.exe Illegal operation attempted on a registry key that has been marked for deletion." every time I try to open something. I'm not sure what the issue is but I know the original malwarebytes scan found an issue with HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoad, so I'm guessing it's related. Please let me know how to proceed so that the problem is permanently fixed.

Thanks,
Brandon

------------------MALWAREBYTES--------------------
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.16.09

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]

Protection: Disabled

11/16/2012 2:42:44 PM
mbam-log-2012-11-16 (14-42-44).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309252
Time elapsed: 15 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.Lameshield) -> Data: C:\Windows\Temp\temp59.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Micrcsoft Updater (Trojan.Ransom) -> Data: "c:\users\brandon berger\appdata\local\temp\tmp7b6e30cc\setex.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Bad: (C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr) Good: () -> Delete on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 16
C:\Windows\Temp\temp59.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\tmp7b6e30cc\setex.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\Local Settings\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\n (Trojan.0Access) -> Delete on reboot.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Derivix\KeyGen.exe (Hacktool.Gen) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\0000f047.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d132db.exe (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d1a81a.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\D264.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msimg32.dll (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msvyosq.com (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Roaming\C2D8A5\C2D8A5.exe (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)
--------------------------------------

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.17.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]

Protection: Enabled

11/19/2012 7:28:59 AM
mbam-log-2012-11-19 (07-28-59).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 167149
Time elapsed: 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-----------------------------------

2012/11/16 15:00:21 -0500   ABR6   (null)   MESSAGE   Executing scheduled update: Daily
2012/11/16 15:00:21 -0500   ABR6   (null)   ERROR   Scheduled update failed: Host not found failed with error code 0
2012/11/16 15:00:34 -0500   ABR6   Brandon Berger   MESSAGE   Starting protection
2012/11/16 15:00:34 -0500   ABR6   Brandon Berger   MESSAGE   Protection started successfully
2012/11/16 15:00:34 -0500   ABR6   Brandon Berger   MESSAGE   Starting IP protection
2012/11/16 15:00:35 -0500   ABR6   Brandon Berger   MESSAGE   IP Protection started successfully
2012/11/16 15:00:51 -0500   ABR6   Brandon Berger   DETECTION   C:\Users\Brandon Berger\AppData\Local\Temp\tmp45672668\setex.exe   Trojan.Ransom   QUARANTINE
----------------------------
2012/11/17 11:17:42 -0500   ABR6   Brandon Berger   MESSAGE   Executing scheduled update: Daily
2012/11/17 11:17:47 -0500   ABR6   Brandon Berger   MESSAGE   Scheduled update executed successfully: database updated from version v2012.11.16.09 to version v2012.11.17.03
2012/11/17 11:17:47 -0500   ABR6   Brandon Berger   MESSAGE   Starting database refresh
2012/11/17 11:17:47 -0500   ABR6   Brandon Berger   MESSAGE   Stopping IP protection
2012/11/17 11:17:47 -0500   ABR6   Brandon Berger   MESSAGE   IP Protection stopped successfully
2012/11/17 11:17:48 -0500   ABR6   Brandon Berger   MESSAGE   Database refreshed successfully
2012/11/17 11:17:48 -0500   ABR6   Brandon Berger   MESSAGE   Starting IP protection
2012/11/17 11:17:48 -0500   ABR6   Brandon Berger   MESSAGE   IP Protection started successfully
------------------------------------
2012/11/19 07:27:56 -0500   ABR6   Brandon Berger   DETECTION   C:\Users\Brandon Berger\AppData\Local\Temp\tmp4a347af7\setex.exe   Trojan.Ransom   QUARANTINE
2012/11/19 07:28:03 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57892, Process: ygdui.exe)
2012/11/19 07:28:11 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57894, Process: ygdui.exe)
2012/11/19 07:28:19 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57897, Process: ygdui.exe)
2012/11/19 07:28:19 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57899, Process: ygdui.exe)
2012/11/19 07:28:27 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57901, Process: ygdui.exe)
2012/11/19 07:28:35 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57903, Process: ygdui.exe)
2012/11/19 07:28:35 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57905, Process: ygdui.exe)
2012/11/19 07:31:47 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57991, Process: ygdui.exe)
2012/11/19 07:31:55 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 57999, Process: ygdui.exe)
2012/11/19 07:31:55 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58001, Process: ygdui.exe)
2012/11/19 07:32:03 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58002, Process: ygdui.exe)
2012/11/19 07:32:03 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58003, Process: ygdui.exe)
2012/11/19 07:36:36 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58301, Process: ygdui.exe)
2012/11/19 07:36:44 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58303, Process: ygdui.exe)
2012/11/19 07:36:52 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58305, Process: ygdui.exe)
2012/11/19 07:36:52 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58307, Process: ygdui.exe)
2012/11/19 07:37:00 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58309, Process: ygdui.exe)
2012/11/19 07:38:04 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58352, Process: ygdui.exe)
2012/11/19 07:38:12 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58353, Process: ygdui.exe)
2012/11/19 07:38:20 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58356, Process: ygdui.exe)
2012/11/19 07:38:20 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58358, Process: ygdui.exe)
2012/11/19 07:38:28 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58359, Process: ygdui.exe)
2012/11/19 07:44:29 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58404, Process: ygdui.exe)
2012/11/19 07:44:29 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58405, Process: ygdui.exe)
2012/11/19 07:44:37 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58406, Process: ygdui.exe)
2012/11/19 07:44:45 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58407, Process: ygdui.exe)
2012/11/19 07:44:45 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58408, Process: ygdui.exe)
2012/11/19 07:45:01 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58410, Process: ygdui.exe)
2012/11/19 07:45:01 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58412, Process: ygdui.exe)
2012/11/19 07:45:09 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58414, Process: ygdui.exe)
2012/11/19 07:45:18 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58416, Process: ygdui.exe)
2012/11/19 07:45:18 -0500   ABR6   Brandon Berger   IP-BLOCK   87.255.51.229 (Type: outgoing, Port: 58418, Process: ygdui.exe)
2012/11/19 07:51:01 -0500   ABR6   Brandon Berger   MESSAGE   Stopping protection
2012/11/19 07:51:01 -0500   ABR6   Brandon Berger   MESSAGE   Protection stopped successfully
2012/11/19 07:51:01 -0500   ABR6   Brandon Berger   MESSAGE   Stopping IP protection
2012/11/19 07:51:01 -0500   ABR6   Brandon Berger   MESSAGE   IP Protection stopped successfully
2012/11/19 08:02:37 -0500   ABR6   Brandon Berger   MESSAGE   Starting IP protection
2012/11/19 08:02:38 -0500   ABR6   Brandon Berger   MESSAGE   IP Protection started successfully
2012/11/19 08:02:38 -0500   ABR6   Brandon Berger   MESSAGE   Starting protection
2012/11/19 08:02:38 -0500   ABR6   Brandon Berger   MESSAGE   Protection started successfully

-------------END--------------------------------------

----COMBOFIX----------------
ComboFix 12-11-16.02 - Brandon Berger 11/19/2012 7:51.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12246.9749 [GMT -5:00]
Running from: c:\users\Brandon Berger\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\users\Brandon Berger\AppData\Local\Microsoft\Windows\Temporary Internet Files\{084D85CB-B75C-473F-A068-64CED5971E7F}.xps
c:\users\Brandon Berger\AppData\Roaming\Awfe
c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 12:53 . 2012-11-19 12:53   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-11-19 12:46 . 2012-11-19 12:46   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\WinZip
2012-11-19 12:42 . 2012-09-25 04:16   95208   ----a-w-   c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-16 19:42 . 2012-11-16 19:42   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Malwarebytes
2012-11-16 19:42 . 2012-11-16 19:42   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 19:42 . 2012-11-16 19:42   --------   d-----w-   c:\programdata\Malwarebytes
2012-11-16 19:42 . 2012-09-30 00:54   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-11-16 19:07 . 2012-11-19 12:31   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Raukqu
2012-11-16 19:07 . 2012-11-16 19:07   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Opveby
2012-11-16 12:58 . 2012-11-16 12:59   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Bloomberg
2012-11-16 07:41 . 2012-10-12 07:19   9291768   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BCFA0AF-29AC-492D-A8AF-3BE0A51E4B67}\mpengine.dll
2012-11-16 03:44 . 2012-11-16 20:17   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\Bloomberg
2012-11-15 21:52 . 2012-11-15 21:52   --------   d-----w-   c:\program files\Microsoft Mouse and Keyboard Center
2012-11-15 20:04 . 2010-06-03 15:18   75776   ----a-w-   c:\windows\system32\drivers\ATTchWDF.sys
2012-11-15 20:04 . 2009-06-12 19:11   1331200   ----a-w-   c:\windows\SysWow64\ATCPanel.cpl
2012-11-15 20:04 . 2008-10-10 18:47   164864   ----a-w-   c:\windows\SysWow64\drivers\UNWISE.EXE
2012-11-15 20:03 . 2012-11-15 20:08   --------   d-----w-   C:\blp
2012-11-14 08:04 . 2012-07-26 04:55   785512   ----a-w-   c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 08:04 . 2012-07-26 04:55   54376   ----a-w-   c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 08:04 . 2012-07-26 04:47   2560   ----a-w-   c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 08:04 . 2012-07-26 02:36   9728   ----a-w-   c:\windows\system32\Wdfres.dll
2012-11-14 08:00 . 2012-07-26 03:08   84992   ----a-w-   c:\windows\system32\WUDFSvc.dll
2012-11-14 08:00 . 2012-07-26 03:08   194048   ----a-w-   c:\windows\system32\WUDFPlatform.dll
2012-11-14 08:00 . 2012-07-26 02:26   87040   ----a-w-   c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:00 . 2012-07-26 02:26   198656   ----a-w-   c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:00 . 2012-07-26 03:08   229888   ----a-w-   c:\windows\system32\WUDFHost.exe
2012-11-14 08:00 . 2012-07-26 03:08   744448   ----a-w-   c:\windows\system32\WUDFx.dll
2012-11-14 08:00 . 2012-07-26 03:08   45056   ----a-w-   c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 15:13 . 2012-11-13 15:13   --------   d-----w-   c:\program files (x86)\MimGateway
2012-11-13 15:13 . 2012-11-13 15:13   --------   d-----w-   c:\program files (x86)\Pivot Solutions
2012-11-13 14:53 . 2012-11-15 20:54   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\MimGateway
2012-11-13 14:53 . 2012-11-13 14:53   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Pivot Solutions
2012-11-13 13:13 . 2012-11-13 15:12   --------   d-----w-   c:\windows\system32\appmgmt
2012-11-12 14:30 . 2012-11-14 08:01   66395536   ----a-w-   c:\windows\system32\MRT.exe
2012-11-06 13:05 . 2012-11-06 13:05   73656   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-06 13:05 . 2012-11-06 13:05   696760   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-06 13:05 . 2012-11-06 13:05   --------   d-----w-   c:\windows\system32\Macromed
2012-11-05 16:00 . 2012-11-05 16:00   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\webex
2012-11-05 15:35 . 2012-11-05 15:35   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\ElevatedDiagnostics
2012-11-05 13:35 . 2012-11-05 13:35   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\Diagnostics
2012-11-02 20:38 . 2012-11-02 20:38   862664   ----a-w-   c:\windows\SysWow64\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38   828872   ----a-w-   c:\windows\system32\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38   661448   ----a-w-   c:\windows\system32\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38   534480   ----a-w-   c:\windows\SysWow64\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38   50856   ----a-w-   c:\windows\system32\drivers\point64.sys
2012-11-02 20:38 . 2012-11-02 20:38   354264   ----a-w-   c:\windows\system32\vccorlib110.dll
2012-11-02 20:38 . 2012-11-02 20:38   251864   ----a-w-   c:\windows\SysWow64\vccorlib110.dll
2012-11-02 02:52 . 2012-11-02 02:52   75928   ----a-w-   c:\windows\system32\drivers\dc3d.sys
2012-11-02 02:52 . 2012-11-02 02:52   1795952   ----a-w-   c:\windows\system32\WdfCoInstaller01011.dll
2012-10-24 16:48 . 2012-10-24 16:49   --------   d-----w-   C:\Derivix installers
2012-10-24 16:41 . 2012-10-24 16:41   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\Derivix Corp
2012-10-24 16:41 . 2012-10-24 16:41   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\Derivix_Corp
2012-10-24 16:33 . 2012-11-16 19:58   --------   d-----w-   c:\program files (x86)\Derivix
2012-10-24 16:26 . 2012-11-05 12:47   --------   d-----w-   c:\users\Brandon Berger\AppData\Local\LogMeIn Rescue Applet
2012-10-23 13:36 . 2012-10-23 13:36   --------   d-----w-   c:\program files (x86)\WEX
2012-10-22 17:12 . 2012-10-29 09:06   --------   d-----w-   c:\users\Brandon Berger\AppData\Roaming\DDS
2012-10-22 17:12 . 2012-10-22 17:12   --------   d-----w-   c:\program files (x86)\Egar
2012-10-22 17:12 . 2008-06-11 20:02   658432   ----a-w-   c:\windows\SysWow64\mscomct2.ocx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-17 07:14 . 2012-10-17 07:14   91648   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14   89088   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14   89088   ----a-w-   c:\windows\system32\ie4uinit.exe
2012-10-17 07:14 . 2012-10-17 07:14   86528   ----a-w-   c:\windows\SysWow64\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14   85504   ----a-w-   c:\windows\system32\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14   82432   ----a-w-   c:\windows\system32\icardie.dll
2012-10-17 07:14 . 2012-10-17 07:14   76800   ----a-w-   c:\windows\SysWow64\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14   76800   ----a-w-   c:\windows\system32\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14   74752   ----a-w-   c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14   74752   ----a-w-   c:\windows\SysWow64\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14   65024   ----a-w-   c:\windows\system32\pngfilt.dll
2012-10-17 07:14 . 2012-10-17 07:14   63488   ----a-w-   c:\windows\SysWow64\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14   55296   ----a-w-   c:\windows\system32\msfeedsbs.dll
2012-10-17 07:14 . 2012-10-17 07:14   534528   ----a-w-   c:\windows\system32\ieapfltr.dll
2012-10-17 07:14 . 2012-10-17 07:14   49664   ----a-w-   c:\windows\system32\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14   48640   ----a-w-   c:\windows\SysWow64\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14   452608   ----a-w-   c:\windows\system32\dxtmsft.dll
2012-10-17 07:14 . 2012-10-17 07:14   448512   ----a-w-   c:\windows\system32\html.iec
2012-10-17 07:14 . 2012-10-17 07:14   403248   ----a-w-   c:\windows\system32\iedkcs32.dll
2012-10-17 07:14 . 2012-10-17 07:14   39936   ----a-w-   c:\windows\system32\iernonce.dll
2012-10-17 07:14 . 2012-10-17 07:14   3695416   ----a-w-   c:\windows\system32\ieapfltr.dat
2012-10-17 07:14 . 2012-10-17 07:14   367104   ----a-w-   c:\windows\SysWow64\html.iec
2012-10-17 07:14 . 2012-10-17 07:14   35840   ----a-w-   c:\windows\SysWow64\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14   30720   ----a-w-   c:\windows\system32\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14   282112   ----a-w-   c:\windows\system32\dxtrans.dll
2012-10-17 07:14 . 2012-10-17 07:14   267776   ----a-w-   c:\windows\system32\ieaksie.dll
2012-10-17 07:14 . 2012-10-17 07:14   249344   ----a-w-   c:\windows\system32\webcheck.dll
2012-10-17 07:14 . 2012-10-17 07:14   23552   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14   222208   ----a-w-   c:\windows\system32\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14   197120   ----a-w-   c:\windows\system32\msrating.dll
2012-10-17 07:14 . 2012-10-17 07:14   165888   ----a-w-   c:\windows\system32\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14   163840   ----a-w-   c:\windows\system32\ieakui.dll
2012-10-17 07:14 . 2012-10-17 07:14   161792   ----a-w-   c:\windows\SysWow64\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14   160256   ----a-w-   c:\windows\system32\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14   160256   ----a-w-   c:\windows\system32\ieakeng.dll
2012-10-17 07:14 . 2012-10-17 07:14   152064   ----a-w-   c:\windows\SysWow64\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14   150528   ----a-w-   c:\windows\SysWow64\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14   149504   ----a-w-   c:\windows\system32\occache.dll
2012-10-17 07:14 . 2012-10-17 07:14   145920   ----a-w-   c:\windows\system32\iepeers.dll
2012-10-17 07:14 . 2012-10-17 07:14   135168   ----a-w-   c:\windows\system32\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14   12288   ----a-w-   c:\windows\system32\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14   11776   ----a-w-   c:\windows\SysWow64\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14   114176   ----a-w-   c:\windows\system32\admparse.dll
2012-10-17 07:14 . 2012-10-17 07:14   111616   ----a-w-   c:\windows\system32\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14   110592   ----a-w-   c:\windows\SysWow64\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14   10752   ----a-w-   c:\windows\system32\msfeedssync.exe
2012-10-17 07:14 . 2012-10-17 07:14   103936   ----a-w-   c:\windows\system32\inseng.dll
2012-10-17 07:14 . 2012-10-17 07:14   101888   ----a-w-   c:\windows\SysWow64\admparse.dll
2012-10-15 21:35 . 2012-10-15 21:35   821736   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 21:35 . 2012-10-15 21:35   746984   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-10-13 01:16 . 2012-10-13 01:16   296320   ----a-w-   c:\windows\system32\drivers\volsnap.sys
2012-10-13 01:16 . 2012-10-13 01:16   902656   ----a-w-   c:\windows\system32\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16   739840   ----a-w-   c:\windows\SysWow64\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16   1139200   ----a-w-   c:\windows\system32\FntCache.dll
2012-10-13 01:16 . 2012-10-13 01:16   800256   ----a-w-   c:\windows\system32\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16   7680   ----a-w-   c:\windows\system32\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7680   ----a-w-   c:\windows\system32\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7680   ----a-w-   c:\windows\system32\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7680   ----a-w-   c:\windows\system32\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\SysWow64\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16   7168   ----a-w-   c:\windows\system32\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16   6656   ----a-w-   c:\windows\SysWow64\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16   626176   ----a-w-   c:\windows\SysWow64\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16   197120   ----a-w-   c:\windows\system32\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16   161792   ----a-w-   c:\windows\SysWow64\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16   70656   ----a-w-   c:\windows\SysWow64\fontsub.dll
2012-10-13 01:16 . 2012-10-13 01:16   100864   ----a-w-   c:\windows\system32\fontsub.dll
2012-10-13 01:15 . 2012-10-13 01:15   961024   ----a-w-   c:\windows\system32\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15   850944   ----a-w-   c:\windows\SysWow64\sbe.dll
2012-10-13 01:15 . 2012-10-13 01:15   642048   ----a-w-   c:\windows\SysWow64\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15   259072   ----a-w-   c:\windows\system32\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15   199680   ----a-w-   c:\windows\SysWow64\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15   1118720   ----a-w-   c:\windows\system32\sbe.dll
2012-10-13 01:14 . 2012-10-13 01:14   359624   ----a-w-   c:\windows\system32\drivers\vpcvmm.sys
2012-10-13 01:14 . 2012-10-13 01:14   95232   ----a-w-   c:\windows\system32\drivers\vpcusb.sys
2012-10-13 01:14 . 2012-10-13 01:14   936448   ----a-w-   c:\windows\system32\vmsal.exe
2012-10-13 01:14 . 2012-10-13 01:14   793600   ----a-w-   c:\windows\SysWow64\vmsal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-09-18 273920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-23 12277760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-24 18:33   75320   ----a-w-   c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ     DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-17 64312]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-24 464440]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-03-15 30776]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys [2010-08-13 339728]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys [2010-08-13 65808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-17 1255736]
S0 MfeEpePc;MfeEpePc;

S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-08-06 681528]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-23 320512]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-23 56040]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-02 75928]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchWDF.sys [2010-06-03 75776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 13:05]
.
2012-11-19 c:\windows\Tasks\HPCeeScheduleForBrandon Berger.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-10-11 2041192]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Olrox - c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
Wow6432Node-HKCU-Run-svñhîst - c:\users\Brandon Berger\appdata\local\temp\0000f047.exe
AddRemove-Bloomberg Keyboard v11.1 - c:\windows\System32\drivers\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-11-19 07:56:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-19 12:56
.
Pre-Run: 682,990,952,448 bytes free
Post-Run: 682,896,424,960 bytes free
.
- - End Of File - - EDCAA5E4F8CFB238976FA8571250BDA6
---------------------END------------------------------

SuperDave · « **Reply #1 on:** November 27, 2012, 01:11:25 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

Quote

C:\program files\internet explorer\iexplorer.exe Illegal operation attempted on a registry key that has been marked for deletion." every time I try to open something.

A re-boot will usually fix that problem.

Please download AdwCleaner by Xplode onto your Desktop.

Double click on AdwCleaner.exe to run the tool.
Click on Search.
A logfile will automatically open after the scan has finished.
Please post the content of that logfile in your reply.
You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Computer Hope Forum

News:

Author Topic: Trojan.Ransom (Read 5390 times)

brandon1

Trojan.Ransom

SuperDave

Re: Trojan.Ransom