Hello,
I am running Windows 7on an HP computer. Friday, I had an issue where I clicked a website and control of my computer was lost to an FBI hijack virus that showed the entire screen as a message and demanded a $200 ransom. I was able to start the computer in safe mode and get malwarebytes installed, run a scan, and regain access to my computer via normal startup (log below). After reading this post,
http://www.computerhope.com/forum/index.php?topic=133003.0, I ran combofix (log below). Now IE8 and most programs have to be run as administrator and I am getting the error "C:\program files\internet explorer\iexplorer.exe Illegal operation attempted on a registry key that has been marked for deletion." every time I try to open something. I'm not sure what the issue is but I know the original malwarebytes scan found an issue with HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoad, so I'm guessing it's related. Please let me know how to proceed so that the problem is permanently fixed.
Thanks,
Brandon
------------------MALWAREBYTES--------------------
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.orgDatabase version: v2012.11.16.09
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]
Protection: Disabled
11/16/2012 2:42:44 PM
mbam-log-2012-11-16 (14-42-44).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309252
Time elapsed: 15 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SonyAgent (Trojan.Lameshield) -> Data: C:\Windows\Temp\temp59.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Micrcsoft Updater (Trojan.Ransom) -> Data: "c:\users\brandon berger\appdata\local\temp\tmp7b6e30cc\setex.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Bad: (C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr) Good: () -> Delete on reboot.
Folders Detected: 0
(No malicious items detected)
Files Detected: 16
C:\Windows\Temp\temp59.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\tmp7b6e30cc\setex.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\Local Settings\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\n (Trojan.0Access) -> Delete on reboot.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-1899921444-1046565913-4080722315-1001\$34a487373f866d82b8646ff531a9996d\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Derivix\KeyGen.exe (Hacktool.Gen) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\0000f047.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d132db.exe (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\04d1a81a.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\D264.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msbfuwyv.scr (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msimg32.dll (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Local\Temp\msvyosq.com (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Users\Brandon Berger\AppData\Roaming\C2D8A5\C2D8A5.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
(end)
--------------------------------------
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.orgDatabase version: v2012.11.17.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brandon Berger :: ABR6 [administrator]
Protection: Enabled
11/19/2012 7:28:59 AM
mbam-log-2012-11-19 (07-28-59).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 167149
Time elapsed: 12 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\BRANDO~1\LOCALS~1\Temp\msbfuwyv.scr -> Delete on reboot.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-----------------------------------
2012/11/16 15:00:21 -0500 ABR6 (null) MESSAGE Executing scheduled update: Daily
2012/11/16 15:00:21 -0500 ABR6 (null) ERROR Scheduled update failed: Host not found failed with error code 0
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Starting protection
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Protection started successfully
2012/11/16 15:00:34 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/16 15:00:35 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
2012/11/16 15:00:51 -0500 ABR6 Brandon Berger DETECTION C:\Users\Brandon Berger\AppData\Local\Temp\tmp45672668\setex.exe Trojan.Ransom QUARANTINE
----------------------------
2012/11/17 11:17:42 -0500 ABR6 Brandon Berger MESSAGE Executing scheduled update: Daily
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Scheduled update executed successfully: database updated from version v2012.11.16.09 to version v2012.11.17.03
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Starting database refresh
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE Stopping IP protection
2012/11/17 11:17:47 -0500 ABR6 Brandon Berger MESSAGE IP Protection stopped successfully
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE Database refreshed successfully
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/17 11:17:48 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
------------------------------------
2012/11/19 07:27:56 -0500 ABR6 Brandon Berger DETECTION C:\Users\Brandon Berger\AppData\Local\Temp\tmp4a347af7\setex.exe Trojan.Ransom QUARANTINE
2012/11/19 07:28:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57892, Process: ygdui.exe)
2012/11/19 07:28:11 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57894, Process: ygdui.exe)
2012/11/19 07:28:19 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57897, Process: ygdui.exe)
2012/11/19 07:28:19 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57899, Process: ygdui.exe)
2012/11/19 07:28:27 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57901, Process: ygdui.exe)
2012/11/19 07:28:35 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57903, Process: ygdui.exe)
2012/11/19 07:28:35 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57905, Process: ygdui.exe)
2012/11/19 07:31:47 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57991, Process: ygdui.exe)
2012/11/19 07:31:55 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 57999, Process: ygdui.exe)
2012/11/19 07:31:55 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58001, Process: ygdui.exe)
2012/11/19 07:32:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58002, Process: ygdui.exe)
2012/11/19 07:32:03 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58003, Process: ygdui.exe)
2012/11/19 07:36:36 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58301, Process: ygdui.exe)
2012/11/19 07:36:44 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58303, Process: ygdui.exe)
2012/11/19 07:36:52 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58305, Process: ygdui.exe)
2012/11/19 07:36:52 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58307, Process: ygdui.exe)
2012/11/19 07:37:00 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58309, Process: ygdui.exe)
2012/11/19 07:38:04 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58352, Process: ygdui.exe)
2012/11/19 07:38:12 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58353, Process: ygdui.exe)
2012/11/19 07:38:20 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58356, Process: ygdui.exe)
2012/11/19 07:38:20 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58358, Process: ygdui.exe)
2012/11/19 07:38:28 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58359, Process: ygdui.exe)
2012/11/19 07:44:29 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58404, Process: ygdui.exe)
2012/11/19 07:44:29 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58405, Process: ygdui.exe)
2012/11/19 07:44:37 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58406, Process: ygdui.exe)
2012/11/19 07:44:45 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58407, Process: ygdui.exe)
2012/11/19 07:44:45 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58408, Process: ygdui.exe)
2012/11/19 07:45:01 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58410, Process: ygdui.exe)
2012/11/19 07:45:01 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58412, Process: ygdui.exe)
2012/11/19 07:45:09 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58414, Process: ygdui.exe)
2012/11/19 07:45:18 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58416, Process: ygdui.exe)
2012/11/19 07:45:18 -0500 ABR6 Brandon Berger IP-BLOCK 87.255.51.229 (Type: outgoing, Port: 58418, Process: ygdui.exe)
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Stopping protection
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Protection stopped successfully
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE Stopping IP protection
2012/11/19 07:51:01 -0500 ABR6 Brandon Berger MESSAGE IP Protection stopped successfully
2012/11/19 08:02:37 -0500 ABR6 Brandon Berger MESSAGE Starting IP protection
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE IP Protection started successfully
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE Starting protection
2012/11/19 08:02:38 -0500 ABR6 Brandon Berger MESSAGE Protection started successfully
-------------END--------------------------------------
----COMBOFIX----------------
ComboFix 12-11-16.02 - Brandon Berger 11/19/2012 7:51.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12246.9749 [GMT -5:00]
Running from: c:\users\Brandon Berger\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\users\Brandon Berger\AppData\Local\Microsoft\Windows\Temporary Internet Files\{084D85CB-B75C-473F-A068-64CED5971E7F}.xps
c:\users\Brandon Berger\AppData\Roaming\Awfe
c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 12:53 . 2012-11-19 12:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-19 12:46 . 2012-11-19 12:46 -------- d-----w- c:\users\Brandon Berger\AppData\Local\WinZip
2012-11-19 12:42 . 2012-09-25 04:16 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Malwarebytes
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-16 19:42 . 2012-11-16 19:42 -------- d-----w- c:\programdata\Malwarebytes
2012-11-16 19:42 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-16 19:07 . 2012-11-19 12:31 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Raukqu
2012-11-16 19:07 . 2012-11-16 19:07 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Opveby
2012-11-16 12:58 . 2012-11-16 12:59 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Bloomberg
2012-11-16 07:41 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2BCFA0AF-29AC-492D-A8AF-3BE0A51E4B67}\mpengine.dll
2012-11-16 03:44 . 2012-11-16 20:17 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Bloomberg
2012-11-15 21:52 . 2012-11-15 21:52 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2012-11-15 20:04 . 2010-06-03 15:18 75776 ----a-w- c:\windows\system32\drivers\ATTchWDF.sys
2012-11-15 20:04 . 2009-06-12 19:11 1331200 ----a-w- c:\windows\SysWow64\ATCPanel.cpl
2012-11-15 20:04 . 2008-10-10 18:47 164864 ----a-w- c:\windows\SysWow64\drivers\UNWISE.EXE
2012-11-15 20:03 . 2012-11-15 20:08 -------- d-----w- C:\blp
2012-11-14 08:04 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-14 08:04 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-14 08:04 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-14 08:04 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-14 08:00 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-14 08:00 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-14 08:00 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:00 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:00 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-14 08:00 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 08:00 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\MimGateway
2012-11-13 15:13 . 2012-11-13 15:13 -------- d-----w- c:\program files (x86)\Pivot Solutions
2012-11-13 14:53 . 2012-11-15 20:54 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\MimGateway
2012-11-13 14:53 . 2012-11-13 14:53 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Pivot Solutions
2012-11-13 13:13 . 2012-11-13 15:12 -------- d-----w- c:\windows\system32\appmgmt
2012-11-12 14:30 . 2012-11-14 08:01 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-06 13:05 . 2012-11-06 13:05 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-06 13:05 . 2012-11-06 13:05 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-06 13:05 . 2012-11-06 13:05 -------- d-----w- c:\windows\system32\Macromed
2012-11-05 16:00 . 2012-11-05 16:00 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\webex
2012-11-05 15:35 . 2012-11-05 15:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\ElevatedDiagnostics
2012-11-05 13:35 . 2012-11-05 13:35 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Diagnostics
2012-11-02 20:38 . 2012-11-02 20:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 20:38 . 2012-11-02 20:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 20:38 . 2012-11-02 20:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 20:38 . 2012-11-02 20:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 20:38 . 2012-11-02 20:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 02:52 . 2012-11-02 02:52 75928 ----a-w- c:\windows\system32\drivers\dc3d.sys
2012-11-02 02:52 . 2012-11-02 02:52 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
2012-10-24 16:48 . 2012-10-24 16:49 -------- d-----w- C:\Derivix installers
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\Derivix Corp
2012-10-24 16:41 . 2012-10-24 16:41 -------- d-----w- c:\users\Brandon Berger\AppData\Local\Derivix_Corp
2012-10-24 16:33 . 2012-11-16 19:58 -------- d-----w- c:\program files (x86)\Derivix
2012-10-24 16:26 . 2012-11-05 12:47 -------- d-----w- c:\users\Brandon Berger\AppData\Local\LogMeIn Rescue Applet
2012-10-23 13:36 . 2012-10-23 13:36 -------- d-----w- c:\program files (x86)\WEX
2012-10-22 17:12 . 2012-10-29 09:06 -------- d-----w- c:\users\Brandon Berger\AppData\Roaming\DDS
2012-10-22 17:12 . 2012-10-22 17:12 -------- d-----w- c:\program files (x86)\Egar
2012-10-22 17:12 . 2008-06-11 20:02 658432 ----a-w- c:\windows\SysWow64\mscomct2.ocx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-17 07:14 . 2012-10-17 07:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-10-17 07:14 . 2012-10-17 07:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 82432 ----a-w- c:\windows\system32\icardie.dll
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-10-17 07:14 . 2012-10-17 07:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-10-17 07:14 . 2012-10-17 07:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-10-17 07:14 . 2012-10-17 07:14 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-10-17 07:14 . 2012-10-17 07:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-10-17 07:14 . 2012-10-17 07:14 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-10-17 07:14 . 2012-10-17 07:14 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-10-17 07:14 . 2012-10-17 07:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-10-17 07:14 . 2012-10-17 07:14 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-10-17 07:14 . 2012-10-17 07:14 448512 ----a-w- c:\windows\system32\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-10-17 07:14 . 2012-10-17 07:14 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-10-17 07:14 . 2012-10-17 07:14 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-10-17 07:14 . 2012-10-17 07:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-10-17 07:14 . 2012-10-17 07:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-10-17 07:14 . 2012-10-17 07:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-10-17 07:14 . 2012-10-17 07:14 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-10-17 07:14 . 2012-10-17 07:14 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-10-17 07:14 . 2012-10-17 07:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-10-17 07:14 . 2012-10-17 07:14 222208 ----a-w- c:\windows\system32\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 197120 ----a-w- c:\windows\system32\msrating.dll
2012-10-17 07:14 . 2012-10-17 07:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-10-17 07:14 . 2012-10-17 07:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-10-17 07:14 . 2012-10-17 07:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-10-17 07:14 . 2012-10-17 07:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-10-17 07:14 . 2012-10-17 07:14 149504 ----a-w- c:\windows\system32\occache.dll
2012-10-17 07:14 . 2012-10-17 07:14 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-10-17 07:14 . 2012-10-17 07:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 12288 ----a-w- c:\windows\system32\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-10-17 07:14 . 2012-10-17 07:14 114176 ----a-w- c:\windows\system32\admparse.dll
2012-10-17 07:14 . 2012-10-17 07:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-10-17 07:14 . 2012-10-17 07:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-10-17 07:14 . 2012-10-17 07:14 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-10-17 07:14 . 2012-10-17 07:14 103936 ----a-w- c:\windows\system32\inseng.dll
2012-10-17 07:14 . 2012-10-17 07:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-10-15 21:35 . 2012-10-15 21:35 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 21:35 . 2012-10-15 21:35 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-13 01:16 . 2012-10-13 01:16 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-10-13 01:16 . 2012-10-13 01:16 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-10-13 01:16 . 2012-10-13 01:16 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-10-13 01:16 . 2012-10-13 01:16 800256 ----a-w- c:\windows\system32\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7680 ----a-w- c:\windows\system32\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINTAM.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINMAL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINDEV.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\SysWow64\KBDINBEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINORI.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINMAR.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINKAN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINHIN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINEN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 7168 ----a-w- c:\windows\system32\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINTEL.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINPUN.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINGUJ.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE2.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINBE1.DLL
2012-10-13 01:16 . 2012-10-13 01:16 6656 ----a-w- c:\windows\SysWow64\KBDINASA.DLL
2012-10-13 01:16 . 2012-10-13 01:16 626176 ----a-w- c:\windows\SysWow64\usp10.dll
2012-10-13 01:16 . 2012-10-13 01:16 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-10-13 01:16 . 2012-10-13 01:16 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2012-10-13 01:16 . 2012-10-13 01:16 100864 ----a-w- c:\windows\system32\fontsub.dll
2012-10-13 01:15 . 2012-10-13 01:15 961024 ----a-w- c:\windows\system32\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2012-10-13 01:15 . 2012-10-13 01:15 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2012-10-13 01:15 . 2012-10-13 01:15 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2012-10-13 01:15 . 2012-10-13 01:15 1118720 ----a-w- c:\windows\system32\sbe.dll
2012-10-13 01:14 . 2012-10-13 01:14 359624 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2012-10-13 01:14 . 2012-10-13 01:14 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2012-10-13 01:14 . 2012-10-13 01:14 936448 ----a-w- c:\windows\system32\vmsal.exe
2012-10-13 01:14 . 2012-10-13 01:14 793600 ----a-w- c:\windows\SysWow64\vmsal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\Office Tools\bbxlcmd.exe" [2012-09-18 273920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-03-23 12277760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-03-24 18:33 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-03-17 64312]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-03-24 464440]
R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-03-15 30776]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x64.sys [2010-08-13 339728]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys [2010-08-13 65808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-17 1255736]
S0 MfeEpePc;MfeEpePc;
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-08-06 681528]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-03-23 320512]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 165032]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-03-29 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
S2 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-02-23 56040]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-02 75928]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchWDF.sys [2010-06-03 75776]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 13:05]
.
2012-11-19 c:\windows\Tasks\HPCeeScheduleForBrandon Berger.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-03-29 200704]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-10-11 2041192]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Olrox - c:\users\Brandon Berger\AppData\Roaming\Awfe\ygdui.exe
Wow6432Node-HKCU-Run-svñhîst - c:\users\Brandon Berger\appdata\local\temp\0000f047.exe
AddRemove-Bloomberg Keyboard v11.1 - c:\windows\System32\drivers\UNWISE.EXE
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-11-19 07:56:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-19 12:56
.
Pre-Run: 682,990,952,448 bytes free
Post-Run: 682,896,424,960 bytes free
.
- - End Of File - - EDCAA5E4F8CFB238976FA8571250BDA6
---------------------END------------------------------