[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Well, I haven't actually used the PC since my last post, as I didn't know if was safe to do so until I had heard from you!

I did notice that during the 1+1/2 hours while ESET was running, I didn't get one single "LockScreen" popup, so that looks like it may be gone.

Should I just continue to use the PC as normal now? Or would you like me to run a HijackThis log or anything so that you can see what is running on the machine?

Thank you so much for all this help - it is VERY much appreciated....

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Sorry - perhaps I should have mentioned in my last post that the two threats identified by ESET were both Win32/Kryptik.AQPH- hope that helps!..

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

OK - I hope I've done the right things here!

I ran the ESET Online Scanner as instructed (including checking the boxes as indicated), and the scan took around 1+1/2 hours.

It quite quickly identified 2 threats, and on completion it reported that 2 threats had been identified and removed.

I then found the log.txt file in the folder as advised, but noted that it had been created before the scan ran (I was perhaps wronlgly expecting it to be created AFTER the scan had finished?).

Anyway - here are the contents of the C:\Program Files\ESET\Eset Online Scanner\log.txt file:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hope that was what you were expecting!

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Many thanks for your reply. I have been away for a few days but I am just about to run the ESET Online Scanner as instructed.

As soon as the log has been generated, I will post it here as requested.

[PCEU LockScreen -> PUM.UserWLoad]

Thanks, Maniac. I have uploaded the file to Rapidshare and will PM the link to you now

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

I have followed your instructions. Please find C:\Combofix.txt copied below:

-------------------------------------------------------------------------------------------------------

ComboFix 13-01-04.03 - Rob 05/01/2013 0:30.3.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4091.2914 [GMT 0:00]

Running from: c:\users\Rob\Desktop\ComboFix.exe

Command switches used :: c:\users\Rob\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2013 *Disabled/Outdated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG Anti-Virus Free Edition 2013 *Disabled/Outdated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Rob\AppData\Roaming\Hemer

c:\users\Rob\AppData\Roaming\Hemer\edykr.awa

c:\users\Rob\AppData\Roaming\Ipedax

c:\users\Rob\AppData\Roaming\Izedo

c:\users\Rob\AppData\Roaming\Yhseu

c:\users\Rob\AppData\Roaming\Yhseu\ezdun.hau

c:\users\Rob\AppData\Roaming\Ynsuu

.

.

((((((((((((((((((((((((( Files Created from 2012-12-05 to 2013-01-05 )))))))))))))))))))))))))))))))

.

.

2013-01-05 00:34 . 2013-01-05 00:34 -------- d-----w- c:\users\Mcx1-ROB-PC\AppData\Local\temp

2013-01-05 00:34 . 2013-01-05 00:34 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\programdata\IObit

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\users\Rob\AppData\Roaming\IObit

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\program files (x86)\IObit

2013-01-01 17:26 . 2013-01-01 17:26 388096 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2013-01-01 17:26 . 2013-01-01 17:26 -------- d-----w- c:\program files (x86)\Trend Micro

2013-01-01 17:25 . 2013-01-01 21:31 -------- d-----w- c:\program files\UTILITY PROGRAMS

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\users\Rob\AppData\Roaming\Malwarebytes

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\programdata\Malwarebytes

2012-12-15 16:36 . 2012-09-29 19:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-15 13:26 . 2012-12-15 13:26 -------- d-----w- c:\users\Rob\AppData\Roaming\AVG2013

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- c:\users\Rob\AppData\Roaming\TuneUp Software

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- c:\programdata\AVG2013

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- C:\$AVG

2012-12-15 13:20 . 2012-03-20 02:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{54C00459-14ED-4FAD-A37F-04431D38E1CB}\mpengine.dll

2012-12-15 13:03 . 2012-12-15 13:26 -------- d-----w- c:\users\Rob\AppData\Local\Avg2013

2012-12-15 13:03 . 2012-12-15 13:03 -------- d-----w- c:\users\Rob\AppData\Local\MFAData

2012-12-11 22:50 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-11 22:50 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-11 22:50 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2012-12-11 22:48 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-12-11 22:48 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-12-11 22:48 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-11 22:48 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-11 22:48 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-11 22:48 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-12 20:33 . 2011-03-22 22:45 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-11 22:47 . 2012-04-22 09:57 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-11 22:47 . 2011-07-10 10:37 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-22 13:02 . 2012-10-22 13:02 154464 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys

2012-10-20 12:00 . 2011-09-22 23:00 895088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2012-10-20 12:00 . 2011-09-22 23:00 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-10-16 08:38 . 2012-11-27 21:00 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-27 21:00 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-27 21:00 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-15 03:48 . 2012-10-15 03:48 63328 ----a-w- c:\windows\system32\drivers\avgidsha.sys

2012-10-09 18:17 . 2012-11-16 09:41 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-10-09 18:17 . 2012-11-16 09:41 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-10-09 17:40 . 2012-11-16 09:41 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2012-10-09 17:40 . 2012-11-16 09:41 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 6"="c:\program files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-24 490880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]

"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]

.

c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-06 5814392]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-12-31 172032]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys [2009-05-23 69152]

R3 PCD5SRVC{048DBD20-445E8C82-05040104};PCD5SRVC{048DBD20-445E8C82-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [2008-11-04 28152]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-19 1255736]

S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]

S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]

S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-10-05 111456]

S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]

S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-09-18 18792]

S1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Rob\Desktop\emsisoftemergencykit\Run\a2ddax64.sys [2012-12-15 23208]

S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]

S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-04-16 87600]

S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [2012-10-31 464256]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]

S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]

S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-23 23912]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 22:47]

.

2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-711389052-200102541-574798463-1001Core.job

- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 22:14]

.

2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-711389052-200102541-574798463-1001UA.job

- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 22:14]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-14 1794344]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.bing.com/?PC=BNHP

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.254

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCD5SRVC{048DBD20-445E8C82-05040104}]

"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-05 00:36:41

ComboFix-quarantined-files.txt 2013-01-05 00:36

ComboFix2.txt 2013-01-04 22:21

ComboFix3.txt 2013-01-01 20:01

.

Pre-Run: 422,980,345,856 bytes free

Post-Run: 422,684,577,792 bytes free

.

- - End Of File - - DF8C308808B226875BDC48C23FD77D63

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Thanks for clarifying. I have followed your instructions exactly. Please find the text from C:\Combofix.txt copied below:

----------------------------------------------------------------------------------

ComboFix 13-01-04.03 - Rob 04/01/2013 22:16:10.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4091.2982 [GMT 0:00]

Running from: c:\users\Rob\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2013 *Disabled/Outdated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG Anti-Virus Free Edition 2013 *Disabled/Outdated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-12-04 to 2013-01-04 )))))))))))))))))))))))))))))))

.

.

2013-01-04 22:19 . 2013-01-04 22:19 -------- d-----w- c:\users\Mcx1-ROB-PC\AppData\Local\temp

2013-01-04 22:19 . 2013-01-04 22:19 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\programdata\IObit

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\users\Rob\AppData\Roaming\IObit

2013-01-01 21:33 . 2013-01-01 21:33 -------- d-----w- c:\program files (x86)\IObit

2013-01-01 17:26 . 2013-01-01 17:26 388096 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2013-01-01 17:26 . 2013-01-01 17:26 -------- d-----w- c:\program files (x86)\Trend Micro

2013-01-01 17:25 . 2013-01-01 21:31 -------- d-----w- c:\program files\UTILITY PROGRAMS

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\users\Rob\AppData\Roaming\Malwarebytes

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-15 16:36 . 2012-12-15 16:36 -------- d-----w- c:\programdata\Malwarebytes

2012-12-15 16:36 . 2012-09-29 19:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-15 13:26 . 2012-12-15 13:26 -------- d-----w- c:\users\Rob\AppData\Roaming\AVG2013

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- c:\users\Rob\AppData\Roaming\TuneUp Software

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- c:\programdata\AVG2013

2012-12-15 13:25 . 2012-12-15 13:25 -------- d-----w- C:\$AVG

2012-12-15 13:20 . 2012-03-20 02:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{54C00459-14ED-4FAD-A37F-04431D38E1CB}\mpengine.dll

2012-12-15 13:12 . 2012-12-15 17:24 -------- d-----w- c:\users\Rob\AppData\Roaming\Ipedax

2012-12-15 13:12 . 2012-12-15 13:15 -------- d-----w- c:\users\Rob\AppData\Roaming\Ynsuu

2012-12-15 13:12 . 2012-12-15 13:12 -------- d-----w- c:\users\Rob\AppData\Roaming\Yhseu

2012-12-15 13:03 . 2012-12-15 13:26 -------- d-----w- c:\users\Rob\AppData\Local\Avg2013

2012-12-15 13:03 . 2012-12-15 13:03 -------- d-----w- c:\users\Rob\AppData\Local\MFAData

2012-12-12 21:11 . 2012-12-12 21:11 -------- d-----w- c:\users\Rob\AppData\Roaming\Izedo

2012-12-12 21:11 . 2012-12-12 21:11 -------- d-----w- c:\users\Rob\AppData\Roaming\Hemer

2012-12-11 22:50 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-11 22:50 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-11 22:50 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2012-12-11 22:48 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-12-11 22:48 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-12-11 22:48 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-11 22:48 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-11 22:48 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-11 22:48 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-12 20:33 . 2011-03-22 22:45 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-11 22:47 . 2012-04-22 09:57 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-11 22:47 . 2011-07-10 10:37 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-22 13:02 . 2012-10-22 13:02 154464 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys

2012-10-20 12:00 . 2011-09-22 23:00 895088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2012-10-20 12:00 . 2011-09-22 23:00 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-10-16 08:38 . 2012-11-27 21:00 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-27 21:00 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-27 21:00 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-15 03:48 . 2012-10-15 03:48 63328 ----a-w- c:\windows\system32\drivers\avgidsha.sys

2012-10-09 18:17 . 2012-11-16 09:41 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-10-09 18:17 . 2012-11-16 09:41 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-10-09 17:40 . 2012-11-16 09:41 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2012-10-09 17:40 . 2012-11-16 09:41 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 6"="c:\program files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-24 490880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]

"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]

.

c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [2012-11-06 5814392]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-12-31 172032]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys [2009-05-23 69152]

R3 PCD5SRVC{048DBD20-445E8C82-05040104};PCD5SRVC{048DBD20-445E8C82-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [2008-11-04 28152]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-19 1255736]

S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-10-15 63328]

S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys [2012-09-21 225120]

S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2012-10-05 111456]

S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-09-14 40800]

S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-09-18 18792]

S1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Rob\Desktop\emsisoftemergencykit\Run\a2ddax64.sys [2012-12-15 23208]

S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2012-10-22 154464]

S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-10-02 185696]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-04-16 87600]

S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe [2012-10-31 464256]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]

S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-22 196664]

S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-06-23 60928]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-07-23 23912]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-04 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 22:47]

.

2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-711389052-200102541-574798463-1001Core.job

- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 22:14]

.

2013-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-711389052-200102541-574798463-1001UA.job

- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-22 22:14]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-14 1794344]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.bing.com/?PC=BNHP

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.254

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCD5SRVC{048DBD20-445E8C82-05040104}]

"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-04 22:21:53

ComboFix-quarantined-files.txt 2013-01-04 22:21

ComboFix2.txt 2013-01-01 20:01

.

Pre-Run: 423,155,159,040 bytes free

Post-Run: 423,090,929,664 bytes free

.

- - End Of File - - C38735BD8C0505E52530BBC59DF34898

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Sorry if I am being a little cautious here, but I want to make sure I follow your instructions 100% correctly.

Do you mean that I should do these actions?

1. Restart the PC.

2. Delete Combofix.exe from the desktop

3. Click on the link you provided and download Combofix.exe from that page (following the instructions found via the link you gave)

4. Run Combofix.exe (ensuring all anti-virus/anti-malware programs are disabled)

5. After Combofix.exe has run, post C:\Combofix.txt in my next reply.

Is that correct? As I had already run Combofix.exe once before I wrote my first post in this forum, I want to make sure that it will be OK to run it again.

Many thanks.

[PCEU LockScreen -> PUM.UserWLoad]

Hi - I meant to ask before:

Is it safe for me to shut down my laptop? As things seems to be "marked for deletion" I am nervous about shutting down and/or restarting. Would this be risky?

Alternatively I could put the laptop into "Hibernate" mode instead of shutting down? I wanted to check with you if either of these would be possible, so I don't have to leave my laptop on all day and night!

Thanks again.

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac,

Thanks again for your continued help. I followed your instructions exactly but when I drag the CFScript.txt file into Combofix.exe (as you instructed above) I get the same error message that I mentioned in my first post. A window appears that says:

"C:\Users\Rob\Desktop\Combofix.exe

Illegal operation attempted on a registry key that has been marked for deletion."

I am able to open other programs (e.g. Malwarebytes) provided that I right click on the icon and select "Run as administrator". As I am dragging a file into Combofix.exe I am unable to do this - any suggestions?

For your information, I have tried right clicking on Combofix.exe, clicking on the 'Compatibility' tab and checking the box "Run this program as an administrator". Unfortunately the same error message appears.

Any advice would be greatly appreciated.

[PCEU LockScreen -> PUM.UserWLoad]

Hi Maniac!

Thanks so much for getting back to me. It is very kind of you to offer help - much appreciated. I will not run any further scans or take any actions unless you tell me to do so!

The contents of C:\Qoobox\Addor Remove Programs.txt are as follows:

--------------------------------------------------

Accelerometer

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.4)

Advanced Audio FX Engine

Amazon MP3 Downloader 1.0.17

Amazon Music Importer

Apple Application Support

Apple Software Update

Audacity 1.3.14 (Unicode)

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell Support Center (Support Software)

Dell Webcam Central

Google Chrome

Google Talk Plugin

GoToAssist 8.0.0.514

HiJackThis

Java 7 Update 7

Java Auto Updater

Java 6 Update 32

LAME v3.98.3 for Audacity

Live! Cam Avatar Creator

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nokia Maps 3D browser plugin for Internet Explorer (5.10.2.0)

O2Micro Flash Memory Card Windows Driver

OpenOffice.org 3.3

PrimoPDF -- brought to you by Nitro PDF Software

QuickTime

RICOH Media Driver ver.2.07.01.00

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft Visio 2010 (KB2687508) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Spotify

Tesco Download Manager

Tesco Download Manager - Install/Uninstall (v1.0.9.0)_

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

VC80CRTRedist - 8.0.50727.6195

Visual Studio 2008 x64 Redistributables

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Phone Intro Video (ENU)

[PCEU LockScreen -> PUM.UserWLoad]

Hi all,

I'm new here - Happy New Year! I was wondering if anyone would be kind enough to offer me some help. Recently I encounted that terrible PCEU LockScreen virus (like the FBI LockScreen virus except for the UK). I ran Malwarebytes Anti-Malware a few times as well as Emsisoft Emergency Kit in line with some instructions I found online. This seemed to remove the virus and my AVG virus scanner then found no problems at all. However, when I reactivated the internet and started browsing, after a few minutes of trouble free browsing the LockScreen was back!

I have now disabled internet access. Today I ran Malwarebytes Anti-Malware again and it detected 1 problem under "Registry Values". The following entry showed up:

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\Rob\Locals~1\Temp\mskqtkejf.pif

At this point I decided not to delete it and searched help on Google. I came across an entry on this forum for a similar problem and, although I'm really not a technical guy, I have been following your very helpful instructions.

As per the other thread, I downloaded Combofix onto my desktop, disabled my firewall and anti-virus software, closed all other programs and ran Combofix. It ran successfully and then rebooted my computer. Combofix then posted a log - I have attached this for your information.

The only thing that is worrying me slightly is that, whilst everything appears normal superficially, if I double click on any programme files or Word, PDF, or similar, a window opens with the message "Illegal operation attempted on a registry key that has been marked for deletion".

I thought this was a good time to pause everything and seek further help from someone much wiser than me! As I am concerned about this "marked for deletion" message, I am going to leave my laptop switched on and prevent it from re-booting just in case it destroys my PC!!!

Any help and advice you could offer would be massively appreciated! Hope to hear from someone soon. Many thanks.

ComboFix.txt