This was performed on a live (not Virtual) machine.
I just happened to open the Action Center and noticed the below screenshot which I thought was interesting, but probably not anything new.
 |
| RogueKiller |
¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] Smad.exe -- C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 17 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : qshlotge (C:\Users\Steve\AppData\Local\hpaepy\tkubsysguard.exe) -> FOUND
[ROGUE ST] HKCU\[...]\Run : 76750530 (C:\ProgramData\76750530\76750530.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : vbvbkugm (C:\Users\Steve\AppData\Local\lmoycnuag\iuknyxmlanw.exe) -> FOUND
[BLACKLIST DLL] HKCU\[...]\Run : MouseServiceService (rundll32.exe "C:\ProgramData\MouseServiceService.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKCU\[...]\Run : {08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data (rundll32.exe "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}data.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Adobe Update (rundll32 "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Update\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}updt32.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Smad ("C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : qshlotge (C:\Users\Steve\AppData\Local\hpaepy\tkubsysguard.exe) -> FOUND
[ROGUE ST] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : 76750530 (C:\ProgramData\76750530\76750530.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : vbvbkugm (C:\Users\Steve\AppData\Local\lmoycnuag\iuknyxmlanw.exe) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : MouseServiceService (rundll32.exe "C:\ProgramData\MouseServiceService.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : {08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data (rundll32.exe "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}data.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : Adobe Update (rundll32 "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Update\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}updt32.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : Smad ("C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe") -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:28091) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 9ab161f036b30f425e61f9fac31e9ea7
[BSP] 58a5720adba7ff49f9eeea848229802e : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 206848 | Size: 737230 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 1440110592 | Size: 12817 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
[SUSP PATH] Smad.exe -- C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 17 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : qshlotge (C:\Users\Steve\AppData\Local\hpaepy\tkubsysguard.exe) -> FOUND
[ROGUE ST] HKCU\[...]\Run : 76750530 (C:\ProgramData\76750530\76750530.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : vbvbkugm (C:\Users\Steve\AppData\Local\lmoycnuag\iuknyxmlanw.exe) -> FOUND
[BLACKLIST DLL] HKCU\[...]\Run : MouseServiceService (rundll32.exe "C:\ProgramData\MouseServiceService.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKCU\[...]\Run : {08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data (rundll32.exe "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}data.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Adobe Update (rundll32 "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Update\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}updt32.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKCU\[...]\Run : Smad ("C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe") -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : qshlotge (C:\Users\Steve\AppData\Local\hpaepy\tkubsysguard.exe) -> FOUND
[ROGUE ST] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : 76750530 (C:\ProgramData\76750530\76750530.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : vbvbkugm (C:\Users\Steve\AppData\Local\lmoycnuag\iuknyxmlanw.exe) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : MouseServiceService (rundll32.exe "C:\ProgramData\MouseServiceService.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : {08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data (rundll32.exe "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Data\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}data.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : Adobe Update (rundll32 "C:\Users\Steve\AppData\Local\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}Update\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}updt32.DLL",DllRegisterServer) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2681247166-1404216651-2173295430-1000[...]\Run : Smad ("C:\Users\Steve\AppData\Local\SanctionedMedia\Smad\Smad.exe") -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:28091) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 9ab161f036b30f425e61f9fac31e9ea7
[BSP] 58a5720adba7ff49f9eeea848229802e : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 104 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 206848 | Size: 737230 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 1440110592 | Size: 12817 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
__________________________________________________________________________________
 |
| SAS |
Trojan.Agent/Gen-MSFake
C:\PROGRAMDATA\MOUSESERVICESERVICE.DLL
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\C4QFC5M.NKQ
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\U3N7NWW.PIE
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\WO79B4N.HLE
C:\USERS\STEVE\APPDATA\LOCAL\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA.DLL
C:\USERS\STEVE\APPDATA\LOCAL\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDATE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDT32.DLL
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\MOUSESERVICESERVICE.DLL.VIR
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA.DLL.VIR
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDT32.DLL.VIR
C:\WINDOWS\SYSWOW64\SRRSTR.DLL
Trojan.Agent/Gen-ImageDocFake
C:\USERS\STEVE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\MMQ0PGWH\273408_1272005509_1651335_Q[1].JPG
C:\USERS\STEVE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\TIEGVTNB\41491_1501924593_4866_Q[1].JPG
Trojan.Agent/Gen-FraudScan[Prod]
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\ARWMCOENSX.EXE
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\MSIMG32.DLL
C:\Windows\Prefetch\ARWMCOENSX.EXE-64D1C9B7.pf
Trojan.Agent/Gen-FraudLoad
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\KNA0.2378003807390593.EXE
C:\PROGRAMDATA\MOUSESERVICESERVICE.DLL
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\C4QFC5M.NKQ
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\U3N7NWW.PIE
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\NSL3BCB.TMP\WO79B4N.HLE
C:\USERS\STEVE\APPDATA\LOCAL\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA.DLL
C:\USERS\STEVE\APPDATA\LOCAL\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDATE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDT32.DLL
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\MOUSESERVICESERVICE.DLL.VIR
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}DATA.DLL.VIR
C:\USERS\STEVE\DESKTOP\RK_QUARANTINE\{08BD343E-EBCA-45B3-A456-C2A985F78AF9}UPDT32.DLL.VIR
C:\WINDOWS\SYSWOW64\SRRSTR.DLL
Trojan.Agent/Gen-ImageDocFake
C:\USERS\STEVE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\MMQ0PGWH\273408_1272005509_1651335_Q[1].JPG
C:\USERS\STEVE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\LOW\CONTENT.IE5\TIEGVTNB\41491_1501924593_4866_Q[1].JPG
Trojan.Agent/Gen-FraudScan[Prod]
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\ARWMCOENSX.EXE
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\MSIMG32.DLL
C:\Windows\Prefetch\ARWMCOENSX.EXE-64D1C9B7.pf
Trojan.Agent/Gen-FraudLoad
C:\USERS\STEVE\APPDATA\LOCAL\TEMP\KNA0.2378003807390593.EXE
__________________________________________________________________________________
 |
| MBAM |
Registry Keys Detected: 2
HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\opsmr9ibkfl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:28091 -> Quarantined and deleted successfully.
Folders Detected: 1
C:\ProgramData\76750530 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Detected: 17
C:\Users\Steve\AppData\Local\Temp\0.32497658981145383.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\oiu0.41679890231768146.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\rxnowemcsa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\wera0.37253882863410515.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\aas.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\hsx.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\iei.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\kco.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\rrp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\thd.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\aas.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\hsx.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\iei.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\kco.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\rrp.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\thd.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\76750530 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Detected: 17
C:\Users\Steve\AppData\Local\Temp\0.32497658981145383.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\oiu0.41679890231768146.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\rxnowemcsa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Steve\AppData\Local\Temp\wera0.37253882863410515.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\aas.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\hsx.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\iei.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\kco.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\rrp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\thd.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\aas.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\hsx.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\iei.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\kco.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\rrp.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\thd.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Steve\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
__________________________________________________________________________________
 |
| CF |
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\318064a7e620p822q154a8bok2n0
c:\programdata\381kr12hk05j54204368ddqtds7r668gwt2bw13577l
c:\programdata\463pm04jj42o13357112wnbbgg8b021wsb5yx64871b
c:\programdata\adkvjwui4n5y
c:\programdata\bjy617px0xmw80fp3c113f7mtljih2hq6rnhw
c:\programdata\eaobxq8b3hgh6kfp1iyw6q758a4y
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\318064a7e620p822q154a8bok2n0
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\381kr12hk05j54204368ddqtds7r668gwt2bw13577l
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\463pm04jj42o13357112wnbbgg8b021wsb5yx64871b
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\bjy617px0xmw80fp3c113f7mtljih2hq6rnhw
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\eaobxq8b3hgh6kfp1iyw6q758a4y
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\chrome.manifest
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\chrome\xulcache.jar
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\defaults\preferences\xulcache.js
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\install.rdf
.
.
c:\programdata\318064a7e620p822q154a8bok2n0
c:\programdata\381kr12hk05j54204368ddqtds7r668gwt2bw13577l
c:\programdata\463pm04jj42o13357112wnbbgg8b021wsb5yx64871b
c:\programdata\adkvjwui4n5y
c:\programdata\bjy617px0xmw80fp3c113f7mtljih2hq6rnhw
c:\programdata\eaobxq8b3hgh6kfp1iyw6q758a4y
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\318064a7e620p822q154a8bok2n0
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\381kr12hk05j54204368ddqtds7r668gwt2bw13577l
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\463pm04jj42o13357112wnbbgg8b021wsb5yx64871b
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\bjy617px0xmw80fp3c113f7mtljih2hq6rnhw
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Templates\eaobxq8b3hgh6kfp1iyw6q758a4y
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\chrome.manifest
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\chrome\xulcache.jar
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\defaults\preferences\xulcache.js
c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\bb8qsukd.default\extensions\{d4cb5d15-feff-4d78-8768-a2a699711936}\install.rdf
__________________________________________________________________________________
 | |
| MGtools |
--s-a-w 1,218 2012-01-02 19:32:47 C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Templates\adkvjwui4n5y
--s-a-w 8,558 2012-01-06 20:15:25 C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Templates\cxd8o8j8hsar
--s-a-w 8,558 2012-01-06 20:15:25 C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Templates\cxd8o8j8hsar
__________________________________________________________________________________
Misc notes:
There were other minor traces of malware that neither of the above tools found. I found them just by going through typical infection hiding locations such as %appdata% and %programdata%.
There was quite a bit still hiding in %appdata%
No rootkit, no hidden partition, no OS damage. Internet, Firewall, Windows Update, Security Center worked fine from start to finish. I used a minor registry patch to remove some AskToolbar traces but that was it.
__________________________________________________________________________________
__________________________________________________________________________________
No comments:
Post a Comment