A question about the Combofix report.

Discussion in 'Computer Security' started by paulcheung, Aug 28, 2012.

  1. paulcheung

    paulcheung New Member

    Messages:
    1,107
    Hi all,

    Can someone tell me in Combofix report. one section it said locked registry Keys. is combofix locked those keys or is combofix found these keys are locked by other program or virus maybe.?

    Thank you.
     
  2. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Most of the locked keys are nothing to worry about as they are usually from flash player. I would have to loon at the log to determine if anything needs to be done. Some locked keys come from malware.
     
  3. paulcheung

    paulcheung New Member

    Messages:
    1,107
    Thank you John,
    Here is the latest one.

    ComboFix 12-08-25.04 - Kencheung 08/28/2012 16:04:55.3.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2852 [GMT -5:00]
    Running from: c:\users\Fayannie\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-28 21:10 . 2012-08-28 21:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
    2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
    2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
    2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
    2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
    2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
    2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
    2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
    2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
    2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
    2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
    2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
    2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
    2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
    2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
    2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
    2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
    2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
    2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
    2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
    2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
    2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
    2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
    2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
    2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
    2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
    2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
    2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
    2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
    2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
    2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
    2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
    2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
    2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
    2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
    2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
    2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
    2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
    2012-08-23 16:50 . 2012-08-28 14:25 -------- d-sh--w- c:\windows\Installer
    2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
    2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-27_19.11.54 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-08-28 21:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-08-27 19:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 21:14 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 21:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-11-21 03:09 . 2012-08-28 15:48 22650 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-28 15:48 36512 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-08-23 18:43 . 2012-08-28 20:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-23 18:43 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-23 18:43 . 2012-08-27 15:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-08-23 18:43 . 2012-08-28 20:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 20:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-23 19:06 . 2012-08-28 15:36 3794 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1003_UserData.bin
    + 2012-08-23 16:58 . 2012-08-28 15:48 5540 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1000_UserData.bin
    - 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-28 21:11 . 2012-08-28 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-28 21:11 . 2012-08-28 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 14:25 . 2012-08-28 14:25 351904 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
    + 2012-08-28 14:25 . 2012-08-28 14:25 424096 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.dll
    + 2012-08-28 14:25 . 2012-08-28 14:25 257696 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2012-08-28 14:25 . 2012-08-28 14:25 419488 c:\windows\SysWOW64\FlashPlayerApp.exe
    - 2009-07-14 02:36 . 2012-08-27 18:21 659818 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-08-28 15:51 659818 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-08-27 18:21 120714 c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2012-08-28 15:51 120714 c:\windows\system32\perfc009.dat
    + 2009-07-14 04:46 . 2012-08-28 15:46 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-07-14 04:46 . 2012-08-23 22:02 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-07-14 05:01 . 2012-08-28 21:10 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-08-27 19:07 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2012-08-23 19:33 . 2012-08-26 22:42 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
    + 2012-08-23 19:33 . 2012-08-28 15:33 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
    - 2009-07-14 04:45 . 2012-08-23 20:20 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:45 . 2012-08-28 15:34 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2012-08-25 00:35 . 2012-08-28 21:10 1632268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1000-8192.dat
    + 2011-04-16 13:44 . 2011-04-16 13:44 2770944 c:\windows\Installer\2e96b0.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    .
    c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 257696]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 14:25]
    .
    2012-08-28 c:\windows\Tasks\AutoKMS.job
    - c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-28 16:17:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-28 21:17
    ComboFix2.txt 2012-08-28 15:39
    ComboFix3.txt 2012-08-27 19:15
    .
    Pre-Run: 25,379,110,912 bytes free
    Post-Run: 25,292,861,440 bytes free
    .
    - - End Of File - - DBDB0854C14F3A0AB405EC921DFEA13D
     
  4. paulcheung

    paulcheung New Member

    Messages:
    1,107
    This is one from yesterday

    ComboFix 12-08-25.04 - Kencheung 08/27/2012 14:01:49.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2852 [GMT -5:00]
    Running from: c:\users\Fayannie\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\winhelp.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
    2012-08-26 20:58 . 2012-08-27 15:09 -------- d-----w- c:\program files (x86)\Google
    2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
    2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
    2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
    2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
    2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
    2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
    2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
    2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
    2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
    2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
    2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
    2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
    2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
    2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
    2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
    2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
    2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
    2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
    2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
    2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
    2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
    2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
    2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
    2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
    2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
    2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
    2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
    2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
    2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
    2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
    2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
    2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
    2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
    2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
    2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
    2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
    2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
    2012-08-23 16:50 . 2012-08-27 15:09 -------- d-sh--w- c:\windows\Installer
    2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
    2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    .
    c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-27 c:\windows\Tasks\AutoKMS.job
    - c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-27 14:15:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-27 19:15
    .
    Pre-Run: 24,591,638,528 bytes free
    Post-Run: 25,557,856,256 bytes free
    .
    - - End Of File - - 4B617EB7762F3A607ED847BE3BBFC46A
     
  5. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Everything is fine except for 2 of them.

    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
    It must be Notepad, not Wordpad.
    2. Copy the text in the below code box

    Code:
    Reglock::
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    3. Go to the Notepad window and click Edit > Paste
    4. Then click File > Save
    5. Name the file CFScript.txt - Save the file to your Desktop
    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


    [​IMG]

    ComboFix will begin to execute, just follow the prompts.
    After reboot (in case it asks to reboot), it will produce a log for you.
    Post that log (Combofix.txt) in your next reply.
     
  6. paulcheung

    paulcheung New Member

    Messages:
    1,107
    ComboFix 12-08-25.04 - Kencheung 08/28/2012 17:14:16.4.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2932 [GMT -5:00]
    Running from: c:\users\Kencheung\Desktop\ComboFix.exe
    Command switches used :: c:\users\Kencheung\Desktop\CFScript.txt
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-28 22:19 . 2012-08-28 22:19 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-28 14:25 . 2012-08-28 14:25 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-28 14:25 . 2012-08-28 14:25 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
    2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
    2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
    2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
    2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
    2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
    2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
    2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
    2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
    2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
    2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
    2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
    2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
    2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
    2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
    2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
    2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
    2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
    2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
    2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
    2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
    2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
    2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
    2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
    2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
    2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
    2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
    2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
    2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
    2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
    2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
    2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
    2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
    2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
    2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
    2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
    2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
    2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
    2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
    2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
    2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
    2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
    2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
    2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
    2012-08-23 16:50 . 2012-08-28 14:25 -------- d-sh--w- c:\windows\Installer
    2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
    2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
    2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-27_19.11.54 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-08-28 22:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-08-27 19:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 22:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 22:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-11-21 03:09 . 2012-08-28 22:04 22864 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-28 22:04 36616 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2012-08-23 18:43 . 2012-08-28 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-23 18:43 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-08-23 18:43 . 2012-08-27 15:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-08-23 18:43 . 2012-08-28 21:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-28 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-23 19:06 . 2012-08-28 22:04 4022 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1003_UserData.bin
    + 2012-08-23 16:58 . 2012-08-28 21:25 5588 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1000_UserData.bin
    - 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-28 22:20 . 2012-08-28 22:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-28 22:20 . 2012-08-28 22:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-28 14:25 . 2012-08-28 14:25 351904 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
    + 2012-08-28 14:25 . 2012-08-28 14:25 424096 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.dll
    + 2012-08-28 14:25 . 2012-08-28 14:25 257696 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    - 2009-07-14 02:36 . 2012-08-27 18:21 659818 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-08-28 22:07 659818 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-08-27 18:21 120714 c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2012-08-28 22:07 120714 c:\windows\system32\perfc009.dat
    - 2009-07-14 04:46 . 2012-08-23 22:02 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-07-14 04:46 . 2012-08-28 15:46 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-07-14 05:01 . 2012-08-28 22:20 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-08-27 19:07 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2012-08-23 19:33 . 2012-08-26 22:42 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
    + 2012-08-23 19:33 . 2012-08-28 15:33 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
    - 2009-07-14 04:45 . 2012-08-23 20:20 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:45 . 2012-08-28 15:34 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2012-08-23 21:46 . 2012-08-28 22:20 1065316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-8192.dat
    + 2012-08-25 00:35 . 2012-08-28 22:02 1632268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1000-8192.dat
    + 2011-04-16 13:44 . 2011-04-16 13:44 2770944 c:\windows\Installer\2e96b0.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    .
    c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 257696]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 14:25]
    .
    2012-08-28 c:\windows\Tasks\AutoKMS.job
    - c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-28 17:25:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-28 22:25
    ComboFix2.txt 2012-08-28 21:17
    ComboFix3.txt 2012-08-28 15:39
    ComboFix4.txt 2012-08-27 19:15
    .
    Pre-Run: 25,371,455,488 bytes free
    Post-Run: 25,019,043,840 bytes free
    .
    - - End Of File - - 5549451F5FF66341D35A22DCBC9897CE
     
  7. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    You are good to go now.
     
  8. paulcheung

    paulcheung New Member

    Messages:
    1,107
    Thank you John,
    Do you have any idea which or what program cause that issue. my partner went to Facebook and I installed yahoo Messenger and went there. could these two place cause it or they have nothing to do with it?
    Thank you again
     
  9. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Nothing to do with it. Those 2 entries usually appear when you have had a decent infection.
     
  10. paulcheung

    paulcheung New Member

    Messages:
    1,107
    Ok Thank you.
     

Share This Page