1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need Help with a Trojan.

Discussion in 'Virus & Other Malware Removal' started by Tedejc, Jun 9, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    366
    this is combofix quarantine-files:


    2012-06-13 00:09:26 . 2012-06-13 00:09:26 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
    2012-06-13 00:09:13 . 2012-06-13 01:46:19 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
    2012-06-13 00:05:00 . 2012-06-13 01:42:27 4,033 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2012-06-12 23:21:21 . 2012-06-12 23:21:21 232,960 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\00000008.@.vir
    2012-06-12 23:21:19 . 2012-06-12 23:21:19 93,696 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000032.@.vir
    2012-06-12 23:21:19 . 2012-06-12 23:21:19 76,800 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000064.@.vir
    2012-06-12 23:21:17 . 2012-06-12 23:21:17 16,896 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000000.@.vir
    2012-06-12 23:21:16 . 2012-06-12 23:21:16 773 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\00000004.@.vir
    2012-06-12 23:21:16 . 2012-06-12 23:21:16 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\00000004.@.vir
    2012-06-12 23:21:16 . 2012-06-12 23:21:16 1,584 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\000000cb.@.vir
    2012-06-12 22:42:56 . 2012-06-12 22:42:56 106 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\1afb2d56.vir
    2012-06-12 22:26:43 . 2012-06-13 01:39:09 459 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2012-06-06 04:05:27 . 2012-06-12 01:40:28 158 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\201d3dde.vir
    2012-01-11 00:18:44 . 2011-11-17 06:41:18 2,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\@.vir
    2012-01-11 00:18:44 . 2011-11-17 06:41:18 43,008 ----a-w- C:\Qoobox\Quarantine\C\Windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\n.vir
    2011-11-01 23:27:55 . 2011-11-01 23:27:56 72,080 ----a-w- C:\Qoobox\Quarantine\C\Users\Owner\g2mdlhlpx.exe.vir
     
  2. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    366
    this is the first combofix before 2 and 3.:



    ComboFix 12-06-12.03 - Owner 06/12/2012 20:02:33.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2844 [GMT -4:00]
    Running from: H:\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Owner\g2mdlhlpx.exe
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\00000004.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\1afb2d56
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\L\201d3dde
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\n
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\00000004.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\00000008.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\000000cb.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000000.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000032.@
    c:\windows\Installer\{85ee5870-1a9f-6932-c3ce-887557e65d78}\U\80000064.@
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-06 04:11 . 2012-06-06 04:11 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-05-17 02:22 . 2012-05-17 02:23 -------- d-----w- c:\program files (x86)\Safari
    2012-05-17 02:22 . 2012-05-17 02:22 -------- d-----w- c:\users\Owner\AppData\Local\Apple Computer
    2012-05-17 02:22 . 2009-05-18 17:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-05-17 02:22 . 2008-04-17 16:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
    2012-05-17 02:22 . 2008-04-17 16:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
    2012-05-17 02:21 . 2012-05-17 02:21 -------- d-----w- c:\program files\iPod
    2012-05-17 02:21 . 2012-05-17 02:22 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2012-05-17 02:21 . 2012-05-17 02:21 -------- d-----w- c:\program files\iTunes
    2012-05-17 02:21 . 2012-05-17 02:21 -------- d-----w- c:\program files (x86)\iTunes
    2012-05-17 02:19 . 2012-05-17 02:21 -------- d-----w- c:\programdata\Apple Computer
    2012-05-17 02:19 . 2012-05-17 02:20 -------- d-----w- c:\program files (x86)\QuickTime
    2012-05-17 02:19 . 2012-05-17 02:21 -------- d-----w- c:\program files\Common Files\Apple
    2012-05-17 02:18 . 2012-05-17 02:18 -------- d-----w- c:\program files\Bonjour
    2012-05-17 02:18 . 2012-05-17 02:18 -------- d-----w- c:\program files (x86)\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-04 22:42 . 2012-04-12 11:41 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-05-04 22:42 . 2011-10-08 02:08 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-05-04 22:42 . 2012-04-12 21:35 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-03-31 06:05 . 2012-05-11 18:58 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-03-31 04:39 . 2012-05-11 18:58 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-03-31 04:39 . 2012-05-11 18:58 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-03-31 03:10 . 2012-05-11 18:58 3146240 ----a-w- c:\windows\system32\win32k.sys
    2012-03-30 11:35 . 2012-05-11 18:58 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-03-17 07:58 . 2012-05-11 18:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 98304]
    "HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-10-22 2489456]
    "RunAIShell"="c:\program files (x86)\ASUS\AI Manager\AsShellApplication.exe" [2009-12-23 232064]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    SpywareGuard.lnk - f:\spywareguard\sgmain.exe [2003-8-29 360448]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe [2011-4-21 548528]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2011-2-25 15776]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]
    R3 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
    R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
    R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-26 129976]
    R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-12-23 203392]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
    S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
    S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 22:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]
    "Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://asus.msn.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: blizzard.com\us
    Trusted Zone: thinkorswim.com\www
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\6cetgoy6.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-06-12 20:10:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-13 00:10
    .
    Pre-Run: 945,799,032,832 bytes free
    Post-Run: 946,007,257,088 bytes free
    .
    - - End Of File - - A0F7757F028F615B415DD2C3336668D5
     
  3. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,831
    that all looks OK
    *Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
    * Click START then RUN
    * Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    [​IMG]

    This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/vulnerability_scanning/online/ for out of date & vulnerable common applications on your computer and update whatever it suggests. Download & use the PSI version ( not the OSI, in your browser java version) as I no longer recommend having Java installed on the computer at all, unless it is absolutely necessary, because of the too high risk of malware infiltration

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place. If windows update doesn't work, please come back & tell us
     
  4. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    366
    OK, this is all very good. ComboFix is out recycle bin is emptied, system is re-started. Up dated Microsoft. started following thespykiller info, very good info, ran the secunia. Thanks for the info on the PSI, any time I used it in the past it was always OSI and nothing would ever update. both Java and Firefox were dangerously unprotected. both are up dated now.
    Still a lot of work to do on my part but the system is running fine, and all issues have stopped. I'm marking this one as solved. I'm feeling lucky that I know you all. thank you very much for the assistance, I couldn't of fixed this it without you.
     
  5. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1056457