Need Help With Possible Virus

[MajorBrass]

I keep getting four cookies that my anti virus (Malwarebytes, HitmanPRO) detect but can't remove.

Things I have tried that did not work:
- Running Anti-virus in safe mode
- Manually deleting them
- Looked for them in the registry and did not find them

Any ideas?

Thanks

Here is a screen shot of them:

 

[denis280]

did you try %temp% then delete all.

 

[MajorBrass]

did you try %temp% then delete all.

I'm not sure what that means. Would you please explain. EDIT: OK, I googled that command, ran it, deleted all, ran HitmanPro and it still detects them and fails to delete them.

I did Control Panel>Folder Options>Check View Hidden Files and deleted them - the folder looked empty but when I run HitmanPro it detects and is not able to delete them again.

I have also run CCleaner and GlaryUtilities but the cookies still show up.

 

[denis280]

If you open task manager.do you see those 4 programs running.

 

[Bubbaleone]

I keep getting four cookies that my anti virus (Malwarebytes, HitmanPRO) detect but can't remove.

Things I have tried that did not work:
- Running Anti-virus in safe mode
- Manually deleting them
- Looked for them in the registry and did not find them

Any ideas?

Thanks

Follow this link to download ComboFix. The download link is in the middle of that webpage. This is important: save the download to your desktop, then right-click on the file and select "Run as administrator".

If you're running Windows XP it will ask to install "Recovery Console"; allow the installation. If you're running Windows Vista or 7 the program will begin when you right-click and run as administrator. When ComboFix begins it's scan of you system, do not touch your keyboard or mouse until it finishes. When it's finished a report log of the operations and malware removed will open on your desktop in Notepad.


.

 

[Puppies04]

OP download and burn the avg rescue CD, it is pretty self explanatory and runs outside your OS (windows) I have yet to find a single virus it won't reliably remove.

 

[MajorBrass]

If you open task manager.do you see those 4 programs running.

No not that I can tell.

I will try running combofix and see what happens.

The avg rescue CD, I will try as well.

Thank you!

 

[FMX]

Good luck. There is also an AVIRA Rescue CD, and a Defender Offline disc by Microsoft you could try as well. I haven't had good luck with AVIRA but you never know. It's fairly popular.

I don't know if it might help either but maybe try a System Restore as a last resort? If the virus/malware was recently installed and isn't too substantial - it might just do the trick.

 

[MajorBrass]

Ran ComboFix and I'm not sure what it did. The cookies are still detected by HitmanPro as "tracking" and it continues to fail to delete them.

Additionally, when I run Glary's track eraser it detects and is unable to delete the following cookies:

CUsers\Nik\AppData\Local\Temp\Cookies\G5L2OYMJ.txt
CUsers\Nik\AppData\Local\Temp\Cookies\ONHOP6NJ.txt
CUsers\Nik\AppData\Local\Temp\Cookies\99N71FTA.txt
CUsers\Nik\AppData\Local\Temp\Cookies\X2CT54B5.txt
CUsers\Nik\AppData\Local\Temp\Cookies\0RWB4UTU.txt
CUsers\Nik\AppData\Local\Temp\Cookies\QBLIXS0N.txt
CUsers\Nik\AppData\Local\Temp\Cookies\LOTF4QI4.txt
CUsers\Nik\AppData\Local\Temp\Cookies\QVU52MUN.txt
CUsers\Nik\AppData\Local\Temp\Cookies\CCC3PHXQ.txt
CUsers\Nik\AppData\Local\Temp\Cookies\M4XSR5Q0.txt
CUsers\Nik\AppData\Local\Temp\Cookies\KSIWWYNL.txt
CUsers\Nik\AppData\Local\Temp\Cookies\QA73G2FN.txt
CUsers\Nik\AppData\Local\Temp\Cookies\YXQH3FC8.txt
CUsers\Nik\AppData\Local\Temp\Cookies\GD1KPBTZ.txt
CUsers\Nik\AppData\Local\Temp\Cookies\RT5A80NK.txt
CUsers\Nik\AppData\Local\Temp\Cookies\W9XNO11P.txt

I will have to try the rescue CD when I have time. I am not sure if this is a virus or not but HitmanPro has never had difficulty getting rid of stuff until now.

I could not make sense of the ComboFix file but here it is.

ComboFix 12-08-25.04 - Nik 08/26/2012 19:22:06.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16293.14787 [GMT -5:00]
Running from: cusers\Nik\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
.
.
2012-08-27 00:23 . 2012-08-27 00:23 -------- d-----w- cusers\Default\AppData\Local\temp
2012-08-26 19:34 . 2012-08-26 19:34 -------- d-----w- cwindows\SysWow64\Wat
2012-08-26 19:34 . 2012-08-26 19:34 -------- d-----w- cwindows\system32\Wat
2012-08-26 01:52 . 2012-08-26 01:52 -------- d-----w- cprogram files (x86)\ASM104xUSB3
2012-08-19 22:32 . 2012-08-19 22:34 -------- d-----w- cusers\Nik\AppData\Roaming\PlayClaw3
2012-08-19 22:32 . 2012-08-19 22:34 -------- d-----w- cprogram files (x86)\PlayClaw3
2012-08-19 22:32 . 2012-08-16 11:55 110080 ----a-w- c:\windows\system32\tmb1-v64.dll
2012-08-19 22:32 . 2012-08-16 11:55 123392 ----a-w- c:\windows\SysWow64\tmb1-v32.dll
2012-08-17 03:38 . 2012-08-22 23:49 -------- d-----w- cusers\Nik\AppData\Local\Windows Live
2012-08-17 03:38 . 2012-08-26 21:22 -------- d-----w- cprogram files (x86)\Common Files\Windows Live
2012-08-16 03:35 . 2012-08-21 02:26 -------- d-----w- cprogram files (x86)\MSI Afterburner
2012-07-31 01:10 . 2012-08-25 00:43 -------- d-----w- cprogram files (x86)\EVGA Precision X
2012-07-29 01:29 . 2012-07-29 01:29 -------- d-----w- cusers\Nik\AppData\Roaming\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 22:27 . 2012-01-15 18:08 283304 ----a-w- cwindows\SysWow64\PnkBstrB.exe
2012-08-26 22:27 . 2011-10-03 04:32 283304 ----a-w- cwindows\SysWow64\PnkBstrB.xtr
2012-08-26 21:58 . 2011-10-03 04:31 283304 ----a-w- cwindows\SysWow64\PnkBstrB.ex0
2012-08-03 09:27 . 2011-10-02 20:21 62134624 ----a-w- cwindows\system32\MRT.exe
2012-07-29 02:55 . 2011-10-13 22:53 76888 ----a-w- cwindows\SysWow64\PnkBstrA.exe
2012-07-25 00:33 . 2011-10-02 02:19 107552 ----a-w- cwindows\system32\RTNUninst64.dll
2012-07-25 00:33 . 2011-08-24 02:57 74272 ----a-w- cwindows\system32\RtNicProp64.dll
2012-07-25 00:33 . 2011-08-24 02:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2012-07-20 22:18 . 2012-04-21 02:45 426184 ----a-w- cwindows\SysWow64\FlashPlayerApp.exe
2012-07-20 22:18 . 2011-10-02 21:30 70344 ----a-w- cwindows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 18:46 . 2012-02-11 04:39 24904 ----a-w- cwindows\system32\drivers\mbam.sys
2012-06-12 06:26 . 2012-07-26 02:26 968552 ----a-w- cwindows\system32\nvumdshimx.dll
2012-06-12 06:26 . 2012-07-26 02:26 9048424 ----a-w- cwindows\system32\nvcuda.dll
2012-06-12 06:26 . 2012-07-26 02:26 827752 ----a-w- cwindows\SysWow64\nvumdshim.dll
2012-06-12 06:26 . 2012-07-26 02:26 7586664 ----a-w- cwindows\SysWow64\nvcuda.dll
2012-06-12 06:26 . 2012-07-26 02:26 322920 ----a-w- cwindows\system32\nvEncodeAPI64.dll
2012-06-12 06:26 . 2012-07-26 02:26 285032 ----a-w- cwindows\SysWow64\nvEncodeAPI.dll
2012-06-12 06:26 . 2012-07-26 02:26 2743656 ----a-w- cwindows\system32\nvcuvid.dll
2012-06-12 06:26 . 2012-07-26 02:26 2719592 ----a-w- cwindows\system32\nvapi64.dll
2012-06-12 06:26 . 2012-07-26 02:26 26238824 ----a-w- cwindows\system32\nvoglv64.dll
2012-06-12 06:26 . 2012-07-26 02:26 2572136 ----a-w- cwindows\SysWow64\nvcuvid.dll
2012-06-12 06:26 . 2012-07-26 02:26 25256296 ----a-w- cwindows\system32\nvcompiler.dll
2012-06-12 06:26 . 2012-07-26 02:26 247144 ----a-w- cwindows\system32\nvinitx.dll
2012-06-12 06:26 . 2012-07-26 02:26 2418024 ----a-w- cwindows\SysWow64\nvapi.dll
2012-06-12 06:26 . 2012-07-26 02:26 2215784 ----a-w- cwindows\system32\nvcuvenc.dll
2012-06-12 06:26 . 2012-07-26 02:26 202600 ----a-w- cwindows\SysWow64\nvinit.dll
2012-06-12 06:26 . 2012-07-26 02:26 19834728 ----a-w- cwindows\SysWow64\nvoglv32.dll
2012-06-12 06:26 . 2012-07-26 02:26 1864552 ----a-w- cwindows\SysWow64\nvcuvenc.dll
2012-06-12 06:26 . 2012-07-26 02:26 18231656 ----a-w- cwindows\system32\nvd3dumx.dll
2012-06-12 06:26 . 2012-07-26 02:26 1758056 ----a-w- cwindows\system32\nvdispco64.dll
2012-06-12 06:26 . 2012-07-26 02:26 17559912 ----a-w- cwindows\SysWow64\nvcompiler.dll
2012-06-12 06:26 . 2012-07-26 02:26 15282024 ----a-w- cwindows\SysWow64\nvd3dum.dll
2012-06-12 06:26 . 2012-07-26 02:26 14744424 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-06-12 06:26 . 2012-07-26 02:26 1472360 ----a-w- cwindows\system32\nvdispgenco64.dll
2012-06-12 06:26 . 2012-07-26 02:26 13353320 ----a-w- cwindows\system32\drivers\nvlddmkm.sys
2012-06-12 06:26 . 2012-07-26 02:26 12349288 ----a-w- cwindows\SysWow64\nvwgf2um.dll
2012-06-12 02:30 . 2012-07-26 02:26 2653573 ----a-w- cwindows\system32\nvcoproc.bin
2012-06-12 02:29 . 2012-07-26 02:26 3264360 ----a-w- cwindows\system32\nvsvc64.dll
2012-06-12 02:29 . 2012-07-26 02:26 6189928 ----a-w- cwindows\system32\nvcpl.dll
2012-06-12 02:28 . 2012-07-26 02:26 891240 ----a-w- cwindows\system32\nvvsvc.exe
2012-06-12 02:28 . 2012-07-26 02:26 63336 ----a-w- cwindows\system32\nvshext.dll
2012-06-12 02:28 . 2012-07-26 02:26 118120 ----a-w- cwindows\system32\nvmctray.dll
2012-06-11 18:35 . 2012-06-11 18:35 70144 ----a-w- cwindows\system32\coinst_8.98.dll
2012-06-09 05:43 . 2012-07-21 18:05 14172672 ----a-w- cwindows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-21 18:05 2004480 ----a-w- cwindows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-21 18:05 1881600 ----a-w- cwindows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-21 18:05 1133568 ----a-w- cwindows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-21 18:05 1390080 ----a-w- cwindows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-21 18:05 1236992 ----a-w- cwindows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-21 18:05 805376 ----a-w- cwindows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-07-21 18:02 38424 ----a-w- cwindows\system32\wups.dll
2012-06-02 22:19 . 2012-07-21 18:02 2428952 ----a-w- cwindows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-07-21 18:02 57880 ----a-w- cwindows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-07-21 18:02 44056 ----a-w- cwindows\system32\wups2.dll
2012-06-02 22:19 . 2012-07-21 18:02 701976 ----a-w- cwindows\system32\wuapi.dll
2012-06-02 22:15 . 2012-07-21 18:02 2622464 ----a-w- cwindows\system32\wucltux.dll
2012-06-02 22:15 . 2012-07-21 18:02 99840 ----a-w- cwindows\system32\wudriver.dll
2012-06-02 20:19 . 2012-07-21 18:02 186752 ----a-w- cwindows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-07-21 18:02 36864 ----a-w- cwindows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-21 18:05 458704 ----a-w- cwindows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-21 18:05 95600 ----a-w- cwindows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-21 18:05 151920 ----a-w- cwindows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-21 18:05 340992 ----a-w- cwindows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-21 18:05 307200 ----a-w- cwindows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-21 18:05 22016 ----a-w- cwindows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-21 18:05 225280 ----a-w- cwindows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-21 18:05 219136 ----a-w- cwindows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-21 18:05 96768 ----a-w- cwindows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-27_00.13.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-27 00:13 . 2012-08-27 00:13 2048 cwindows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-27 00:24 . 2012-08-27 00:24 2048 cwindows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-27 00:24 . 2012-08-27 00:24 2048 cwindows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-27 00:13 . 2012-08-27 00:13 2048 cwindows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-08-26 21:58 623940 cwindows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-27 00:17 623940 cwindows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-08-26 21:58 106316 cwindows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-08-27 00:17 106316 cwindows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-08-27 00:17 623940 cwindows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-08-26 21:58 623940 cwindows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-27 00:17 106316 cwindows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-26 21:58 106316 cwindows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-08-27 00:13 229988 cwindows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-27 00:23 229988 cwindows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-03 01:54 . 2012-08-27 00:23 16939828 cwindows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1897720973-3170028873-3045539377-1000-12288.dat
- 2011-10-03 01:54 . 2012-08-27 00:13 16939828 cwindows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1897720973-3170028873-3045539377-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="cprogram files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-07-08 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;cwindows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 UNS;Intel(R) Management and Security Application User Notification Service;cprogram files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-22 2656280]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;cwindows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
R3 AxtuDrv;AxtuDrv;cwindows\SysWOW64\Drivers\AxtuDrv.sys [x]
R3 cphs;Intel(R) Content Protection HECI Service;cwindows\SysWow64\IntelCpHeciSvc.exe [2012-05-24 276288]
R3 cpudrv64;cpudrv64;cprogram files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;cprogram files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-10-02 79360]
R3 CT20XUT;CT20XUT;cwindows\system32\drivers\CT20XUT.SYS [2010-07-08 230488]
R3 CTEXFIFX;CTEXFIFX;cwindows\system32\drivers\CTEXFIFX.SYS [2010-07-08 1445976]
R3 CTHWIUT;CTHWIUT;cwindows\system32\drivers\CTHWIUT.SYS [2010-07-08 95320]
R3 dmvsc;dmvsc;cwindows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;cprogram files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2012-02-12 17152]
R3 TsUsbFlt;TsUsbFlt;cwindows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;cwindows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;cwindows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;cwindows\system32\Wat\WatAdminSvc.exe [2012-08-26 1255736]
R4 AdobeARMservice;Adobe Acrobat Update Service;cprogram files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S3 asmthub3;ASMedia USB3 Hub Service;cwindows\system32\DRIVERS\asmthub3.sys [2011-03-04 126952]
S3 asmtxhci;ASMEDIA XHCI Service;cwindows\system32\DRIVERS\asmtxhci.sys [2011-03-04 390632]
S3 CT20XUT.SYS;CT20XUT.SYS;cwindows\System32\drivers\CT20XUT.SYS [2010-07-08 230488]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;cwindows\System32\drivers\CTEXFIFX.SYS [2010-07-08 1445976]
S3 CTHWIUT.SYS;CTHWIUT.SYS;cwindows\System32\drivers\CTHWIUT.SYS [2010-07-08 95320]
S3 ha20x22k;Creative 20X2 HAL Driver;cwindows\system32\drivers\ha20x22k.sys [2010-07-08 1612888]
S3 MEIx64;Intel(R) Management Engine Interface;cwindows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 RTCore64;RTCore64;cprogram files (x86)\EVGA Precision X\RTCore64.sys [2012-06-29 15176]
S3 RTL8167;Realtek 8167 NT Driver;cwindows\system32\DRIVERS\Rt64win7.sys [2012-07-25 565352]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-27 cwindows\Tasks\GlaryInitialize.job
- cprogram files (x86)\Glary Utilities\initialize.exe [2011-10-03 13:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="cwindows\system32\igfxtray.exe" [2012-05-24 170304]
"Persistence"="cwindows\system32\igfxpers.exe" [2012-05-24 440128]
"HotKeysCmds"="cwindows\system32\hkcmd.exe" [2012-05-24 398656]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
winvnc4
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = cwindows\system32\blank.htm
mStart Page = hxxp://isearch.glarysoft.com/?src=iehome
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
cprogram files (x86)\Creative\Shared Files\CTAudSvc.exe
cwindows\SysWOW64\PnkBstrA.exe
cprogram files (x86)\EVGA Precision X\EVGAPrecision.exe
.
**************************************************************************
.
Completion time: 2012-08-26 19:24:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-27 00:24
.
Pre-Run: 40,413,728,768 bytes free
Post-Run: 40,366,882,816 bytes free
.
- - End Of File - - 6B1633565C7E86E37129573D001CCAF7

 

[daveybrat]

They are probably just corrupted cookies. I doubt highly that they are infections as combofix should have nailed them if they were.

 

[VirtualLarry]

They are probably just corrupted cookies. I doubt highly that they are infections as combofix should have nailed them if they were.

If they are corrupted, then why couldn't he delete them.

OP, try using Unlocker to release handles holding those files, and then delete them.

Then, see if they come back.

 

[MajorBrass]

They seem to be phantom cookies! I do not even see a "Cookies" folder under C:\Users\Nik\Appdata\Local/Temp

I have deleted everything under temp with the %temp% command but they are still being detected by GlaryUtilities and HitManPro and neither is able to delete them.

 

[chusteczka]

These cookies are in textfiles. They should be easy to remove.

Manually go to the folder and delete them, or just delete the whole Cookies folder.
C: \Users\Nik\AppData\Local\Temp\Cookies\*

SuperAntiSpyware is probably the best software for removing cookies.

Rescue Disks are more for viruses but I list several below just in case.

ComboFix is excellent.

I have never used the programs you mention, GlaryUtilities or HitManPro. If the cookie files are not in the directory, then I suspect a bug in the programs you are using. Additionally, these are textfiles, they are not viruses or malware. They will not harm your system. I would not worry about them.


Rescue Disks

• Kaspersky Rescue Disk
• Avira Rescue Disk
• AVG Rescue CD
• BitDefender Rescue CD
• F-Secure Removal Tools
• Comodo Free Rescue and Cleanup Tools

 

[MajorBrass]

I tried the above. SuperAS finds them and quarnteens them but is not able to remove them either. Must be corrupt in some way or something is recreating them every time after I delete them.

Thank you for the links!

 

[chusteczka]

I use a Linux system to delete files from Windows that Windows does not want to delete. In fact, I just did this yesterday. The source of the linux system is up to you. I have Ubuntu Linux installed on a 4GB USB key.

You restart your system and boot from the USB or CD into a linux system, go into the Windows file system, and delete the offending files. Before this, you need to write down the directory path of the offending files.

If you created any of the above listed rescue disks, most of them, if not all provide linux rescue capabilities using a different start option than the anti-virus scan. This is why they are called "Rescue" disk and not merely a portable antivirus scanner.