Quantized
-
Posts
5 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Quantized
-
-
Hey Maurice,
My apologies for running so many tools before coming here for help! Also sorry for the slow reply, I was unable to get to my computer over the weekend.
Thanks again for your time!
The RKreport was as follows:
RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Sam [Admin rights]
Mode: Scan -- Date: 07/10/2012 02:01:07
¤¤¤ Bad processes: 3 ¤¤¤
[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[sUSP PATH] scvejqjcvnpkcyqe.exe -- C:\Users\Sam\AppData\Local\Temp\scvejqjcvnpkcyqe.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 4 ¤¤¤
[sUSP PATH] HKCU\[...]\Run : BwbJhohs (C:\Users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe) -> FOUND
[sUSP PATH] HKUS\S-1-5-21-1923409006-194560733-4056756558-1000[...]\Run : BwbJhohs (C:\Users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BPKT-00PK4T0 ATA Device +++++
--- User ---
[MBR] ecc35fa9cbb26bb9c09e65bc940129f1
[bSP] 632714b9efe8543cfb2c3e457c227cb5 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Ugh sorry for the triple post, but ComboFix hasn't work, on restarting the UAC prompt is back.
When ComboFix restarted the computer less proccess seemed to be running so perhaps that made it seemed fixed, or maybe reconnecting to the internet caused the problem, who knows.
Anyway, back to square one!.
Once again sorry for the triple post.
Thanks! Sam
-
Firstly, sorry for posting again, I am not bumping this intentionally however I don't believe I can edit my post.
I just wanted to update that I ran RKill in SafeMode and then ran ComboFix and I am now posting this from normal mode, i got no pop-up for UAC and can access this website, however I'm not convinced that this means the virus is completely removed etc.
What would you advise I do now? I will update if the symptoms re-occur. I suppose the real question is whether I should still reformat.
The ComboFix log is below. I ran RKill twice so the log says nothing, however the only proccess cancelled was a rundll32.exe in the syswow64 folder I believe.
Once again, many thanks for this!
ComboFix
ComboFix 12-06-30.01 - Sam 05/07/2012 22:28:07.2.4 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3894.3177 [GMT 9.5:30]
Running from: c:\users\Sam\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sam\AppData\Local\cxbbfnpr.log
c:\users\Sam\AppData\Local\doiobkto.log
c:\users\Sam\AppData\Local\eoxhyrwi.log
c:\users\Sam\AppData\Local\hhvuyefd.log
c:\users\Sam\AppData\Local\oqcfydxf.log
c:\users\Sam\AppData\Local\qjsclcci.log
c:\users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe
c:\users\Sam\AppData\Local\uxlnfjba.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-07-05 13:03 . 2012-07-05 13:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-01 00:13 . 2012-07-01 00:13 -------- d-----w- c:\program files (x86)\ESET
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\programdata\Malwarebytes
2012-06-30 03:31 . 2012-04-04 06:26 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 03:13 . 2012-07-05 13:03 -------- d-----w- c:\users\Sam\AppData\Local\sqjwtlxb
2012-06-30 03:13 . 2012-06-30 03:13 93708 --s---w- c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwbjhohs.exe
2012-06-30 01:07 . 2012-06-30 02:30 -------- d-----w- c:\program files (x86)\Diablo III
2012-06-30 01:07 . 2012-06-30 01:31 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-06-30 01:07 . 2012-06-30 01:31 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
2012-06-30 01:06 . 2012-06-30 01:06 -------- d-----w- c:\programdata\Battle.net
2012-06-29 11:50 . 2012-06-29 11:50 -------- d-----w- c:\programdata\ATI
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\programdata\AMD
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\AMD AVT
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\AMD APP
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-06-29 11:23 . 2012-06-29 11:25 -------- d-----w- c:\users\Sam\AppData\Local\Ubisoft Game Launcher
2012-06-29 11:23 . 2012-06-29 13:11 -------- d-----w- c:\users\Sam\AppData\Roaming\Might & Magic Heroes VI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 08:28 . 2012-04-06 15:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 08:28 . 2012-04-06 15:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-06 05:25 . 2012-04-15 11:25 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-01_00.05.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-21 21:01 . 2012-07-05 07:52 25374 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-05 07:52 27652 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-20 22:27 . 2012-07-05 07:54 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-20 22:27 . 2012-06-30 23:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-20 22:27 . 2012-07-05 07:54 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-20 22:27 . 2012-06-30 23:50 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-05 07:54 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-30 23:50 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-05 07:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-07-01 02:41 78432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-03-21 03:00 . 2012-07-05 07:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-05 07:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-05 07:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-05 07:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 02:56 . 2012-07-05 07:52 8184 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1923409006-194560733-4056756558-1000_UserData.bin
+ 2012-07-05 13:04 . 2012-07-05 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-01 00:05 . 2012-07-01 00:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-07-01 00:00 619206 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-05 12:12 619206 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-05 12:12 107388 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-01 00:00 107388 c:\windows\system32\perfc009.dat
- 2012-06-30 04:35 . 2012-06-30 07:04 146352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-06-30 04:35 . 2012-07-05 07:34 146352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-06-30 23:51 283212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-05 07:55 283212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:45 . 2012-06-27 01:17 3837324 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-07-01 00:07 3837324 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-03-21 21:18 . 2012-07-05 07:55 38127924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1923409006-194560733-4056756558-1000-8192.dat
- 2012-03-21 21:18 . 2012-06-30 23:51 38127924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1923409006-194560733-4056756558-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-03-23 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
.
c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
bwbjhohs.exe [2012-6-30 93708]
Dropbox.lnk - c:\users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-25 27112840]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 ALSysIO;ALSysIO;c:\users\Sam\AppData\Local\Temp\ALSysIO64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-06 129976]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-05 346144]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-07-28 10610400]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1923409006-194560733-4056756558-1000Core.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-21 22:12]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1923409006-194560733-4056756558-1000UA.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-21 22:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-14 487424]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.20.1
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\35zqoirr.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-BwbJhohs - c:\users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2012-07-05 22:37:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 13:07
ComboFix2.txt 2012-07-01 00:08
.
Pre-Run: 267,319,709,696 bytes free
Post-Run: 267,286,204,416 bytes free
.
- - End Of File - - 152DDA10094BD38173F3B7B1B753B074
-
Hello there!
My laptop has recently been infected by what as far as I can tell is referred to as the "Windows Command Process Virus'. The symptoms are:
- As soon as I log in a UAC pop up asks to change the UAC settings down to their lowest setting.
- I cant visit any anti-virus related websites such as this one, or even microsoft.com etc.
- I can't run Chrome (Firefox/IE still work), I also can't run MBAM etc.
Since noticing the virus I have tried a few things to remove it without success, namely:
Run MBAM in safe mode (as I can't run it in non-safe mode) both a full scan and quick scan.
Run MBAM directly after running RKill in safe mode.
Run ComboFix in safe mode.
Run ESETscan in non-safe mode.
I will post the logs of the above scans below as well as the logs from a DDS scan (run in normal windows mode more recently than any attempted fix). I cannot find the ComboFix log.txt file at the moment.
The above scans have obviously been unsuccessful despite in some cases detecting the virus (ESET shows the presence of Ramnit.A, the other scans did not specifically but all of them located the .exe in my temp folder). I've read in some places that with the Ramnit virus the only safe option is to reformat, although this is obviously not my first preference I am happy to do it if neccesary but it would be good to know if I do need to, and in the case that I do need to which files I can safely backup without worrying about the virus spreading. For instance I have a dropbox attatched to the laptop with .doc/.pdf/image files, would they be infected and if so then it is likely the other users connected to the dropbox would also have issues.
Thank you very much for your time!
Sam
DDS Scan:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by Sam at 17:24:28 on 2012-07-05
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3894.2734 [GMT 9.5:30]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\AESTSr64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
C:\Users\Sam\AppData\Local\Temp\scvejqjcvnpkcyqe.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\UserAccountControlSettings.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [bwbJhohs] C:\Users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
StartupFolder: C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwbjhohs.exe
StartupFolder: C:\Users\Sam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Sam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.20.1
TCP: Interfaces\{43BEB823-1498-400F-8A77-5FF66ADFA1D9} : DhcpNameServer = 192.168.20.1
TCP: Interfaces\{43BEB823-1498-400F-8A77-5FF66ADFA1D9}\24967605F6E64603134463 : DhcpNameServer = 61.9.226.33 61.9.242.33
TCP: Interfaces\{43BEB823-1498-400F-8A77-5FF66ADFA1D9}\7405E65647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{75B9AB0C-B310-4F83-A9EE-FC47FBA3989F} : DhcpNameServer = 192.168.42.129
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\35zqoirr.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Sam\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\AESTSr64.exe [2012-3-22 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 intelkmd;intelkmd;C:\Windows\system32\DRIVERS\igdpmd64.sys --> C:\Windows\system32\DRIVERS\igdpmd64.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-7 129976]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
.
=============== Created Last 30 ================
.
2012-07-01 00:13:56 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-01 00:05:36 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-30 23:56:47 98816 ----a-w- C:\Windows\sed.exe
2012-06-30 23:56:47 518144 ----a-w- C:\Windows\SWREG.exe
2012-06-30 23:56:47 256000 ----a-w- C:\Windows\PEV.exe
2012-06-30 23:56:47 208896 ----a-w- C:\Windows\MBR.exe
2012-06-30 03:31:06 -------- d-----w- C:\Users\Sam\AppData\Roaming\Malwarebytes
2012-06-30 03:31:02 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-30 03:31:02 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-30 03:31:02 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-30 03:13:22 -------- d-----w- C:\Users\Sam\AppData\Local\sqjwtlxb
2012-06-30 01:07:21 -------- d-----w- C:\ProgramData\Blizzard Entertainment
2012-06-30 01:07:21 -------- d-----w- C:\Program Files (x86)\Diablo III
2012-06-30 01:07:21 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
2012-06-30 01:06:16 -------- d-----w- C:\ProgramData\Battle.net
2012-06-29 11:45:39 -------- d-----w- C:\ProgramData\AMD
2012-06-29 11:45:39 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-06-29 11:45:37 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-06-29 11:45:33 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-06-29 11:45:33 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-06-29 11:23:29 -------- d-----w- C:\Users\Sam\AppData\Local\Ubisoft Game Launcher
2012-06-29 11:23:28 -------- d-----w- C:\Users\Sam\AppData\Roaming\Might & Magic Heroes VI
.
==================== Find3M ====================
.
2012-06-10 08:28:00 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 08:28:00 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-06 05:25:16 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
.
============= FINISH: 17:24:39.75 ===============
DDS Attach.txt
------------------------------------------------------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 21/03/2012 9:22:48 AM
System Uptime: 5/07/2012 5:20:33 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 1436
Processor: Intel® Core™ i5 CPU M 520 @ 2.40GHz | CPU | 2400/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 248.993 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_1436103C&REV_06\3&11583659&0&B0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_1436103C&REV_06\3&11583659&0&B0
Service:
.
Class GUID:
Description:
Device ID: ACPI\HPQ0004\3&11583659&0
Manufacturer:
Name:
PNP Device ID: ACPI\HPQ0004\3&11583659&0
Service:
.
==== System Restore Points ===================
.
RP21: 11/06/2012 5:37:17 PM - Scheduled Checkpoint
RP22: 20/06/2012 12:34:28 PM - Scheduled Checkpoint
RP23: 24/06/2012 9:33:35 PM - Windows Modules Installer
RP24: 29/06/2012 8:51:29 PM - Installed DirectX
RP25: 29/06/2012 8:52:43 PM - Installed Ubisoft Game Launcher
RP26: 30/06/2012 2:09:14 PM - Removed Skype™ 5.9
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Age of Empires® III: Complete Collection
µTorrent
Borderlands
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Compatibility Pack for the 2007 Office system
COMSOL 3.5a
Datcom and associated programs
Diablo III
Dota 2
Dropbox
ESET Online Scanner v3
Google Chrome
IDT Audio
Java Auto Updater
Java™ 6 Update 22
League of Legends
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Might & Magic ® Heroes ® VI
MiKTeX 2.9
Mozilla Firefox 12.0 (x86 en-GB)
Mozilla Maintenance Service
Notepad++
NVIDIA PhysX v8.10.29
OpenOffice.org 3.3
Pando Media Booster
pdfsam
PX Profile Update
Realtek Ethernet Controller Driver For Windows 7
Steam
TexMakerX 2.1
TeXnicCenter Version 1.0 Stable RC1
Ubisoft Game Launcher
VirtualCloneDrive
VLC media player 2.0.1
.
==== Event Viewer Messages From Past Week ========
.
5/07/2012 5:15:46 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
5/07/2012 5:06:20 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
5/07/2012 5:06:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
5/07/2012 5:06:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
5/07/2012 5:06:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/07/2012 5:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
5/07/2012 5:05:50 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21
5/07/2012 5:05:33 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ElbyCDIO spldr Wanarpv6
30/06/2012 5:47:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
30/06/2012 4:23:53 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
30/06/2012 4:23:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
30/06/2012 4:23:37 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache ElbyCDIO NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/06/2012 4:23:36 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30/06/2012 3:04:56 PM, Error: Application Popup [1060] - \??\C:\Users\Sam\AppData\Local\Temp\ilyqhldf.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
30/06/2012 10:31:37 AM, Error: srv [2017] - The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
1/07/2012 9:35:13 AM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
1/07/2012 9:34:01 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
1/07/2012 9:33:38 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
1/07/2012 9:26:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
1/07/2012 9:19:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {0B5A2C52-3EB9-470A-96E2-6C6D4570E40F}
1/07/2012 9:17:26 AM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread
.
==== End Of File ===========================
MBAM Full Scan:
----------------------------------------------------------------------------------
Malwarebytes Anti-Malware 1.61.0.1400
Database version: v2012.06.30.01
Windows 7 x64 NTFS (Safe Mode)
Internet Explorer 8.0.7600.16385
Sam :: AWESOME [administrator]
30/06/2012 3:22:23 PM
mbam-log-2012-06-30 (15-22-23).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 628874
Time elapsed: 39 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
----------------------------------------------------------------------------------------------------------------------
ESETscan:
C:\Qoobox\Quarantine\C\Users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe.vir Win32/Ramnit.A virus cleaned by deleting - quarantined
C:\Users\Sam\AppData\Local\Mozilla\Firefox\Profiles\35zqoirr.default\Cache\1\AA\69E4Ed01 HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Users\Sam\AppData\Local\Temp\scvejqjcvnpkcyqe.exe Win32/Ramnit.A virus cleaned by deleting - quarantined
C:\Users\Sam\Datcom\bin\AC3DVIEW.exe a variant of Win32/Packed.MoleboxSVS.A application cleaned by deleting - quarantined
C:\Users\Sam\Datcom\bin\DATCOM.exe a variant of Win32/Packed.MoleboxSVS.A application cleaned by deleting - quarantined
C:\Users\Sam\Datcom\bin\WGNUPLOT.exe a variant of Win32/Packed.MoleboxSVS.A application cleaned by deleting - quarantined
C:\Users\Sam\Downloads\ADA.EASE.4.1.0.7.DEVELOPER.VERSION.EMT36.ISO a variant of Win32/HackTool.Patcher.A application deleted - quarantined
C:\Users\Sam\Downloads\Datcom+_Pro_3.1.1.e.exe a variant of Win32/Packed.MoleboxSVS.A application cleaned by deleting - quarantined
Operating memory probably a variant of Win32/Ramnit.L virus
Command Process Virus (Ramnit.A)
in Resolved Malware Removal Logs
Posted
Hey Maurice,
Here is the ComboFix log, I ran it in normal windows mode.
The problem still persists.
ComboFix 12-07-11.02 - Sam 11/07/2012 20:41:17.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3894.2906 [GMT 9.5:30]
Running from: c:\users\Sam\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Sam\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sam\AppData\Local\sqjwtlxb
c:\users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-11 to 2012-07-11 )))))))))))))))))))))))))))))))
.
.
2012-07-11 11:19 . 2012-07-11 11:19 -------- d-----w- c:\users\Sam\AppData\Local\sqjwtlxb
2012-07-11 11:17 . 2012-07-11 11:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-01 00:13 . 2012-07-01 00:13 -------- d-----w- c:\program files (x86)\ESET
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-30 03:31 . 2012-06-30 03:31 -------- d-----w- c:\programdata\Malwarebytes
2012-06-30 03:31 . 2012-04-04 06:26 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 01:07 . 2012-06-30 02:30 -------- d-----w- c:\program files (x86)\Diablo III
2012-06-30 01:07 . 2012-06-30 01:31 -------- d-----w- c:\programdata\Blizzard Entertainment
2012-06-30 01:07 . 2012-06-30 01:31 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
2012-06-30 01:06 . 2012-06-30 01:06 -------- d-----w- c:\programdata\Battle.net
2012-06-29 11:50 . 2012-06-29 11:50 -------- d-----w- c:\programdata\ATI
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\programdata\AMD
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\AMD AVT
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\AMD APP
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-06-29 11:45 . 2012-06-29 11:45 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-06-29 11:23 . 2012-06-29 11:25 -------- d-----w- c:\users\Sam\AppData\Local\Ubisoft Game Launcher
2012-06-29 11:23 . 2012-06-29 13:11 -------- d-----w- c:\users\Sam\AppData\Roaming\Might & Magic Heroes VI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 08:28 . 2012-04-06 15:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 08:28 . 2012-04-06 15:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-06 05:25 . 2012-04-15 11:25 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-01_00.05.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-21 21:01 . 2012-07-11 11:09 25548 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-11 11:09 27700 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-20 22:27 . 2012-07-05 07:54 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-20 22:27 . 2012-06-30 23:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-20 22:27 . 2012-07-05 07:54 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-20 22:27 . 2012-06-30 23:50 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-05 07:54 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-30 23:50 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-11 11:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-07-01 02:41 78432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-03-21 03:00 . 2012-07-11 11:10 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-21 03:00 . 2012-07-11 11:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:56 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-21 03:00 . 2012-07-11 11:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-21 03:00 . 2012-07-11 11:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-21 03:00 . 2012-06-30 06:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-21 02:56 . 2012-07-11 11:09 8524 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1923409006-194560733-4056756558-1000_UserData.bin
- 2012-07-01 00:05 . 2012-07-01 00:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-11 11:18 . 2012-07-11 11:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-11 11:18 . 2012-07-11 11:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-01 00:05 . 2012-07-01 00:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-07-11 11:15 619642 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-11 11:15 107792 c:\windows\system32\perfc009.dat
- 2012-06-30 04:35 . 2012-06-30 07:04 146352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-06-30 04:35 . 2012-07-09 16:34 146352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-06-30 23:51 283212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-11 11:17 283212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:45 . 2012-07-01 00:07 3837324 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-06-27 01:17 3837324 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2012-03-21 21:18 . 2012-06-30 23:51 38127924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1923409006-194560733-4056756558-1000-8192.dat
+ 2012-03-21 21:18 . 2012-07-11 11:17 38127924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1923409006-194560733-4056756558-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-03-23 1242448]
"BwbJhohs"="c:\users\Sam\AppData\Local\sqjwtlxb\bwbjhohs.exe" [2012-06-30 93708]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
.
c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
bwbjhohs.exe [2012-6-30 93708]
Dropbox.lnk - c:\users\Sam\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-25 27112840]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 ALSysIO;ALSysIO;c:\users\Sam\AppData\Local\Temp\ALSysIO64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-06 129976]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-05 346144]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-07-28 10610400]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1923409006-194560733-4056756558-1000Core.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-21 22:12]
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1923409006-194560733-4056756558-1000UA.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-21 22:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Sam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-14 487424]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 61.9.226.33 61.9.242.33
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\35zqoirr.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\users\Sam\AppData\Local\Temp\scvejqjcvnpkcyqe.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2012-07-11 20:52:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-11 11:22
ComboFix2.txt 2012-07-01 00:08
.
Pre-Run: 270,055,886,848 bytes free
Post-Run: 270,035,230,720 bytes free
.
- - End Of File - - 7489833DDAB1AD71DAB1A565B3C8F80C
Upload was successful
Thanks again!