Nasty rootkit tries forced log ins

[kingofallmen1]

Not asking you to give up.  I'm just trying anything to get it resolved. 

[MrCharlie]

What ever works....MrC

[kingofallmen1]

^{I wanted to send another email with the most recent combofix scan.  It looks like it quarantined some stuff.}

 

^{These were quarantined:}

 

^{2013-09-02 05:34:45 . 2013-09-02 05:34:45              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-74559397.sys.reg.dat
2013-09-02 05:34:45 . 2013-09-02 05:34:45              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-40289020.sys.reg.dat
2013-09-02 05:25:20 . 2013-09-02 05:25:20          237,114 ----a-w-  C:\Qoobox\Quarantine\C\ProgramData\1378099481.bdinstall.bin.vir
2013-08-30 01:28:43 . 2013-08-30 01:28:43          594,478 ----a-w-  C:\Qoobox\Quarantine\C\ProgramData\1377825887.bdinstall.bin.vir
2013-08-29 01:58:25 . 2013-08-29 01:58:25              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-08-29 01:55:28 . 2013-08-29 01:55:28              880 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2013-08-29 01:55:24 . 2013-09-02 06:55:02            3,321 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-08-29 01:50:46 . 2013-09-02 06:50:16              153 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2013-08-25 01:06:12 . 2013-08-25 01:06:12                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\sppsvc.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\dwm.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\taskhost.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\IPROSetMonitor.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\mfsyncsv.exe.vir
2013-08-25 01:06:06 . 2013-08-25 01:06:06                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\spoolsv.exe.vir
2013-08-25 01:05:55 . 2013-08-25 01:05:55                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\lsm.exe.vir
2013-04-19 18:34:52 . 2013-04-19 18:34:53          113,224 ----a-w-  C:\Qoobox\Quarantine\C\Users\Administrator\g2ax_customer_downloadhelper_win32_x86.exe.vir
2013-03-01 01:49:40 . 2013-03-01 01:49:40           98,040 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\Packet.dll.vir
2013-03-01 01:49:08 . 2013-03-01 01:49:08          282,360 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\wpcap.dll.vir}
 

[kingofallmen1]

This is the log from combofix.  It is showing some stuff.

 

ComboFix 13-09-01.02 - Administrator 09/02/2013   0:30.2.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16350.14803 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1377825887.bdinstall.bin
c:\programdata\1378099481.bdinstall.bin
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-02 to 2013-09-02  )))))))))))))))))))))))))))))))
.
.
2013-09-02 05:25 . 2013-09-02 05:25 -------- d-----w- c:\program files\Bitdefender
2013-09-02 04:33 . 2013-09-02 05:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-02 04:33 . 2009-01-25 18:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-02 04:33 . 2013-09-02 04:34 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-01 19:12 . 2013-09-01 19:12 -------- d-----w- c:\users\Susan\AppData\Roaming\Bitdefender
2013-08-30 17:08 . 2013-08-30 17:08 -------- d-----w- c:\users\MattFluke\AppData\Roaming\Bitdefender
2013-08-30 13:58 . 2013-08-30 13:58 -------- d-----w- c:\users\Terry\AppData\Roaming\Bitdefender
2013-08-30 13:54 . 2013-08-30 13:54 -------- d-----w- c:\users\Ron\AppData\Roaming\Bitdefender
2013-08-30 13:30 . 2013-08-30 13:30 -------- d-----w- c:\users\Accounting\AppData\Roaming\Bitdefender
2013-08-30 13:24 . 2013-08-30 13:24 -------- d-----w- c:\users\Nick\AppData\Roaming\Bitdefender
2013-08-30 13:13 . 2013-08-30 13:13 -------- d-----w- c:\users\Beverly\AppData\Roaming\Bitdefender
2013-08-30 13:12 . 2013-08-30 13:12 -------- d-----w- c:\users\HR\AppData\Roaming\Bitdefender
2013-08-30 13:08 . 2013-08-30 13:08 -------- d-----w- c:\users\MoMoney\AppData\Roaming\Bitdefender
2013-08-30 13:02 . 2013-08-30 13:02 -------- d-----w- c:\users\Denisa\AppData\Roaming\Bitdefender
2013-08-30 12:37 . 2013-08-30 12:37 -------- d-----w- c:\users\Joe\AppData\Roaming\Bitdefender
2013-08-30 12:31 . 2013-08-30 12:31 -------- d-----w- c:\users\Barbara\AppData\Roaming\Bitdefender
2013-08-30 12:20 . 2013-08-30 12:20 -------- d-----w- c:\users\counter\AppData\Roaming\Bitdefender
2013-08-30 12:11 . 2013-08-30 12:11 -------- d-----w- c:\users\Counter2\AppData\Roaming\Bitdefender
2013-08-30 12:05 . 2013-08-30 12:05 -------- d-----w- c:\users\Matt\AppData\Roaming\Bitdefender
2013-08-30 12:04 . 2013-08-30 12:04 -------- d-----w- c:\users\Tim\AppData\Roaming\Bitdefender
2013-08-30 12:04 . 2013-08-30 12:04 -------- d-----w- c:\users\Charles\AppData\Roaming\Bitdefender
2013-08-30 12:01 . 2013-08-30 12:01 -------- d-----w- c:\users\Carrie\AppData\Roaming\Bitdefender
2013-08-30 01:28 . 2013-08-30 01:28 -------- d-----w- c:\programdata\BDLogging
2013-08-30 01:28 . 2007-04-11 16:11 511328 ----a-w- c:\windows\capicom.dll
2013-08-30 01:25 . 2013-08-30 01:25 -------- d-----w- c:\users\Administrator\AppData\Roaming\QuickScan
2013-08-30 01:24 . 2013-09-02 05:25 -------- d-----w- c:\program files\Common Files\Bitdefender
2013-08-30 01:23 . 2013-08-30 01:23 -------- d-----w- c:\program files (x86)\Common Files\SWF Studio
2013-08-29 18:55 . 2013-08-29 18:55 -------- d-----w- c:\users\BrianCrampton\AppData\Local\VirtualStore
2013-08-29 15:26 . 2013-08-29 15:26 -------- d-----w- c:\users\JR\AppData\Local\VirtualStore
2013-08-28 12:41 . 2013-08-28 12:41 -------- d-----w- c:\users\Charles\AppData\Local\VirtualStore
2013-08-28 02:00 . 2013-08-28 02:00 -------- d-----w- C:\FRST
2013-08-28 00:07 . 2013-08-28 00:09 -------- d-----w- c:\programdata\HitmanPro
2013-08-28 00:00 . 2013-08-28 00:00 -------- d-----w- c:\users\Administrator\AppData\Roaming\Registry Mechanic
2013-08-27 23:59 . 2013-08-28 00:45 -------- d-----w- c:\programdata\RdpGuard
2013-08-27 23:59 . 2013-08-27 23:59 -------- d-----w- c:\program files (x86)\RdpGuard
2013-08-27 03:00 . 2013-08-27 03:00 -------- d-----w- c:\programdata\TrojanHunter
2013-08-27 03:00 . 2013-08-30 00:35 -------- d-----w- c:\program files (x86)\TrojanHunter 5.5
2013-08-27 02:58 . 2013-08-27 04:01 -------- d-----w- c:\users\Administrator\AppData\Roaming\TrojanHunter
2013-08-27 02:45 . 2013-08-29 23:47 -------- d-----w- c:\program files (x86)\TrojanHunter 4.5
2013-08-27 00:40 . 2013-08-27 00:40 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2013-08-27 00:23 . 2012-08-21 19:44 513696 ----a-w- c:\windows\SysWow64\msxml.dll
2013-08-27 00:23 . 2012-08-21 19:44 41632 ----a-w- c:\windows\system32\CleanMFT64.exe
2013-08-27 00:23 . 2008-04-02 20:54 1101824 ----a-w- c:\windows\SysWow64\UniBox210.ocx
2013-08-27 00:23 . 2008-04-02 20:53 212992 ----a-w- c:\windows\SysWow64\UniBoxVB12.ocx
2013-08-27 00:23 . 2008-04-02 20:53 880640 ----a-w- c:\windows\SysWow64\UniBox10.ocx
2013-08-27 00:22 . 2013-08-27 00:23 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2013-08-27 00:22 . 2013-08-27 00:22 -------- d-----w- c:\program files (x86)\PC Tools
2013-08-27 00:22 . 2013-08-27 00:22 -------- d-----w- c:\programdata\PC Tools
2013-08-27 00:22 . 2013-08-27 00:22 -------- d-----w- c:\users\Administrator\AppData\Roaming\Product_RM
2013-08-27 00:12 . 2013-08-27 00:12 -------- d-----w- c:\programdata\Simply Super Software
2013-08-26 23:02 . 2013-08-27 16:41 -------- d-----w- c:\programdata\SecTaskMan
2013-08-26 23:02 . 2013-08-26 23:02 -------- d-----w- c:\program files (x86)\Security Task Manager
2013-08-26 22:34 . 2013-08-27 00:39 -------- d-----w- c:\users\Administrator\SecurityScans
2013-08-26 22:33 . 2013-08-26 22:33 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2013-08-25 21:34 . 2013-08-25 21:34 -------- d-s---w- c:\windows\SysWow64\Microsoft
2013-08-25 01:05 . 2013-08-25 01:05 0 ----a-w- c:\windows\SysWow64\winlogon.exe
2013-08-25 01:05 . 2013-08-25 01:05 0 ----a-w- c:\windows\SysWow64\smss.exe
2013-08-25 01:05 . 2013-08-25 01:05 0 ----a-w- c:\windows\SysWow64\services.exe
2013-08-25 01:05 . 2013-08-25 01:05 0 ----a-w- c:\windows\SysWow64\lsass.exe
2013-08-23 22:19 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0AAE9DDA-FDE3-493A-982D-CD99DA701630}\mpengine.dll
2013-08-14 00:14 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-09 01:48 . 2013-08-09 01:48 -------- d-----w- c:\program files (x86)\NirSoft
2013-08-07 20:20 . 2013-08-07 20:20 -------- d-----w- c:\users\Logistics
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-28 00:50 . 2010-11-21 03:24 1334272 ----a-w- c:\windows\SysWow64\CertEnroll.dll
2013-08-28 00:50 . 2010-11-21 03:24 230912 ----a-w- c:\windows\SysWow64\clusapi.dll
2013-08-28 00:50 . 2009-07-13 23:11 680448 ----a-w- c:\windows\SysWow64\adtschema.dll
2013-08-21 00:06 . 2013-03-28 17:53 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-21 00:06 . 2013-03-28 17:53 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-14 00:15 . 2013-03-27 23:09 78161360 ----a-w- c:\windows\system32\MRT.exe
2013-07-09 04:45 . 2013-08-14 00:14 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-05 03:34 . 2013-07-14 16:10 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-06-04 06:00 . 2013-07-14 16:10 624128 ----a-w- c:\windows\system32\qedit.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys;c:\windows\SYSNATIVE\DRIVERS\ivusb.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ThinRDPHlp;Thinstuff XP/VS Helper Service;c:\program files\Thinstuff\XPVS Server\thinrdphlp.exe;c:\program files\Thinstuff\XPVS Server\thinrdphlp.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsxusbd;tsxusbd;c:\windows\system32\Drivers\tsxusbd.sys;c:\windows\SYSNATIVE\Drivers\tsxusbd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MASIntegrationEngine8888;Sage MAS 90 and 200 Integration Engine (8888);c:\program files (x86)\Common Files\Sage\Common Components\IntegrationEngine.exe;c:\program files (x86)\Common Files\Sage\Common Components\IntegrationEngine.exe [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 mrfoldr;MirrorFolder real-time replication driver;c:\windows\System32\drivers\mrfoldr.sys;c:\windows\SYSNATIVE\drivers\mrfoldr.sys [x]
S0 THINRDP;THINRDP;c:\windows\system32\Drivers\ThinRDP.sys;c:\windows\SYSNATIVE\Drivers\ThinRDP.sys [x]
S1 nm3;Microsoft Network Monitor 3 Driver;c:\windows\system32\DRIVERS\nm3.sys;c:\windows\SYSNATIVE\DRIVERS\nm3.sys [x]
S2 ENAgent;Epson Redirect Agent;c:\windows\SysWOW64\ENAgent.exe;c:\windows\SysWOW64\ENAgent.exe [x]
S2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 mfsyncsv;MirrorFolder Auto-synchronization Service;c:\windows\system32\mfsyncsv.exe;c:\windows\SYSNATIVE\mfsyncsv.exe [x]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [x]
S2 RdpGuardService;RdpGuard Service;c:\program files (x86)\RdpGuard\rdpguard-svc.exe;c:\program files (x86)\RdpGuard\rdpguard-svc.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 ThinRDPSrv;Thinstuff XP/VS Server for Windows;c:\program files\Thinstuff\XPVS Server\thinrdpsrv.exe;c:\program files\Thinstuff\XPVS Server\thinrdpsrv.exe [x]
S2 tsxpnptls;tsxpnptls;c:\windows\system32\Drivers\tsxpnptls.sys;c:\windows\SYSNATIVE\Drivers\tsxpnptls.sys [x]
S2 tsxrappls;Thinstuff TSX RemoteApp License Service;c:\program files\Thinstuff\TSX Remote Desktop Connection\tsxrappls.exe;c:\program files\Thinstuff\TSX Remote Desktop Connection\tsxrappls.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 tsxusbdbus;Thinstuff TSX-USB Virtual Host Controller;c:\windows\system32\DRIVERS\tsxusbdbus.sys;c:\windows\SYSNATIVE\DRIVERS\tsxusbdbus.sys [x]
S3 TSXUsbSrv;Thinstuff TSX-USB Redirector Service;c:\program files\Thinstuff\XPVS Server\tsxusbredirectorsrv.exe;c:\program files\Thinstuff\XPVS Server\tsxusbredirectorsrv.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-28 00:06]
.
2013-09-02 c:\windows\Tasks\RMAutoUpdate.job
- c:\program files (x86)\PC Tools\PC Tools Registry Mechanic\SULauncher.exe [2013-08-27 19:44]
.
2013-09-02 c:\windows\Tasks\RMSchedule.job
- c:\program files (x86)\PC Tools\PC Tools Registry Mechanic\RegMech.exe [2013-08-27 19:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-12-13 13263072]
"MirrorFolderShell"="e:\mirrorfolder\mrfshl.exe" [2013-04-03 313896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\msoffice\MICROS~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{4F630825-01B3-46D1-B9F1-B90E3E71CF62}: NameServer = 192.168.0.1,66.76.175.100
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-40289020.sys
SafeBoot-74559397.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,3b,1b,44,31,4e,
   96,1f,fa,d4,0c,b3,3b,90,20,01,ce,c9,19
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,1f,cf,
   00,9f,bf,e8,06,ba,80,bb,08,8d,69,f9,dc
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,3b,1b,ab,80,04,
   6e,c2,81,47,02,a9,fd,95,85,f0,9e,69,5c
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,17,d8,
   c3,77,f3,30,07,a3,62,dd,7a,c0,82,cc,b6
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:f6,0f,45,02,de,2b,ce,01
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,57,f9,89,bb,d0,9e,41,9e,75,35,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,57,f9,89,bb,d0,9e,41,9e,75,35,\
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rdp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Thinstuff.TsTsc.1"
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-92154493-3214132223-1083104434-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-02  00:35:21
ComboFix-quarantined-files.txt  2013-09-02 05:35
ComboFix2.txt  2013-08-29 01:58
.
Pre-Run: 53,792,296,960 bytes free
Post-Run: 53,202,018,304 bytes free
.
- - End Of File - - D5F235DBE000E1B483EF467899732695
A36C5E4F47E84449FF07ED3517B43A31
 

[MrCharlie]

You ran CF with these enabled:
 

SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

--------------------------------------------

Log looks OK
Where do we stand???
What happened in the other forum??

MrC

[kingofallmen1]

What about the upper post where things were quarantined?  Still nothing on the other forums.

[MrCharlie]

These are all the file that were quarantined by CF:

C:\Qoobox\Quarantine\C\ProgramData\1378099481.bdinstall.bin

C:\Qoobox\Quarantine\C\ProgramData\1377825887.bdinstall.bin

C:\Qoobox\Quarantine\C\Windows\SysWOW64\sppsvc.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\dwm.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\taskhost.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\IPROSetMonitor.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\mfsyncsv.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\spoolsv.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\lsm.exe

C:\Qoobox\Quarantine\C\Users\Administrator\g2ax_customer_downloadhelper_win32_x86.exe

C:\Qoobox\Quarantine\C\Windows\SysWOW64\Packet.dll

C:\Qoobox\Quarantine\C\Windows\SysWOW64\wpcap.dll

Evidently they're either infected, in the wrong place or don't belong on the system.

That's all I can tell you about them.

MrC

[kingofallmen1]

In the quarantine, they all end with .vir  

 

However, that ending did not show up in my post.

 

2013-09-02 05:34:45 . 2013-09-02 05:34:45              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-74559397.sys.reg.dat
2013-09-02 05:34:45 . 2013-09-02 05:34:45              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-40289020.sys.reg.dat
2013-09-02 05:25:20 . 2013-09-02 05:25:20          237,114 ----a-w-  C:\Qoobox\Quarantine\C\ProgramData\1378099481.bdinstall.bin.vir
2013-08-30 01:28:43 . 2013-08-30 01:28:43          594,478 ----a-w-  C:\Qoobox\Quarantine\C\ProgramData\1377825887.bdinstall.bin.vir
2013-08-29 01:58:25 . 2013-08-29 01:58:25              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-08-29 01:55:28 . 2013-08-29 01:55:28              880 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2013-08-29 01:55:24 . 2013-09-02 22:54:36            3,321 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-08-29 01:50:46 . 2013-09-02 22:50:07              204 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2013-08-25 01:06:12 . 2013-08-25 01:06:12                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\sppsvc.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\dwm.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\taskhost.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\IPROSetMonitor.exe.vir
2013-08-25 01:06:07 . 2013-08-25 01:06:07                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\mfsyncsv.exe.vir
2013-08-25 01:06:06 . 2013-08-25 01:06:06                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\spoolsv.exe.vir
2013-08-25 01:05:55 . 2013-08-25 01:05:55                0 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\lsm.exe.vir
2013-04-19 18:34:52 . 2013-04-19 18:34:53          113,224 ----a-w-  C:\Qoobox\Quarantine\C\Users\Administrator\g2ax_customer_downloadhelper_win32_x86.exe.vir
2013-03-01 01:49:40 . 2013-03-01 01:49:40           98,040 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\Packet.dll.vir
2013-03-01 01:49:08 . 2013-03-01 01:49:08          282,360 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\wpcap.dll.vir
 

[MrCharlie]

That's what happens when files are quarantined, they're given that extension. (.vir)

 

MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!