A question about the Combofix report.

paulcheung · Aug 28, 2012

Hi all,

Can someone tell me in Combofix report. one section it said locked registry Keys. is combofix locked those keys or is combofix found these keys are locked by other program or virus maybe.?

Thank you.

johnb35 · Aug 28, 2012

Most of the locked keys are nothing to worry about as they are usually from flash player. I would have to loon at the log to determine if anything needs to be done. Some locked keys come from malware.

paulcheung · Aug 28, 2012

Thank you John,
Here is the latest one.

ComboFix 12-08-25.04 - Kencheung 08/28/2012 16:04:55.3.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2852 [GMT -5:00]
Running from: c:\users\Fayannie\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
.
.
2012-08-28 21:10 . 2012-08-28 21:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
2012-08-23 16:50 . 2012-08-28 14:25 -------- d-sh--w- c:\windows\Installer
2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-27_19.11.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-28 21:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-27 19:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 21:14 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 21:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-08-28 15:48 22650 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-28 15:48 36512 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-08-23 18:43 . 2012-08-28 20:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-23 18:43 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-23 18:43 . 2012-08-27 15:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-23 18:43 . 2012-08-28 20:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 20:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-23 19:06 . 2012-08-28 15:36 3794 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1003_UserData.bin
+ 2012-08-23 16:58 . 2012-08-28 15:48 5540 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1000_UserData.bin
- 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-28 21:11 . 2012-08-28 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-28 21:11 . 2012-08-28 21:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-28 14:25 . 2012-08-28 14:25 351904 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
+ 2012-08-28 14:25 . 2012-08-28 14:25 424096 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.dll
+ 2012-08-28 14:25 . 2012-08-28 14:25 257696 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-28 14:25 . 2012-08-28 14:25 419488 c:\windows\SysWOW64\FlashPlayerApp.exe
- 2009-07-14 02:36 . 2012-08-27 18:21 659818 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-28 15:51 659818 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-08-27 18:21 120714 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-08-28 15:51 120714 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:46 . 2012-08-28 15:46 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:46 . 2012-08-23 22:02 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-08-28 21:10 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-27 19:07 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-08-23 19:33 . 2012-08-26 22:42 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
+ 2012-08-23 19:33 . 2012-08-28 15:33 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
- 2009-07-14 04:45 . 2012-08-23 20:20 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-08-28 15:34 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-08-25 00:35 . 2012-08-28 21:10 1632268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1000-8192.dat
+ 2011-04-16 13:44 . 2011-04-16 13:44 2770944 c:\windows\Installer\2e96b0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 257696]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 14:25]
.
2012-08-28 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2012-08-28 16:17:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-28 21:17
ComboFix2.txt 2012-08-28 15:39
ComboFix3.txt 2012-08-27 19:15
.
Pre-Run: 25,379,110,912 bytes free
Post-Run: 25,292,861,440 bytes free
.
- - End Of File - - DBDB0854C14F3A0AB405EC921DFEA13D

paulcheung · Aug 28, 2012

This is one from yesterday

ComboFix 12-08-25.04 - Kencheung 08/27/2012 14:01:49.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2852 [GMT -5:00]
Running from: c:\users\Fayannie\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
.
.
2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
2012-08-26 20:58 . 2012-08-27 15:09 -------- d-----w- c:\program files (x86)\Google
2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
2012-08-23 16:50 . 2012-08-27 15:09 -------- d-sh--w- c:\windows\Installer
2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-27 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2012-08-27 14:15:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-27 19:15
.
Pre-Run: 24,591,638,528 bytes free
Post-Run: 25,557,856,256 bytes free
.
- - End Of File - - 4B617EB7762F3A607ED847BE3BBFC46A

johnb35 · Aug 28, 2012

Everything is fine except for 2 of them.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

paulcheung · Aug 28, 2012

ComboFix 12-08-25.04 - Kencheung 08/28/2012 17:14:16.4.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3966.2932 [GMT -5:00]
Running from: c:\users\Kencheung\Desktop\ComboFix.exe
Command switches used :: c:\users\Kencheung\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
.
.
2012-08-28 22:19 . 2012-08-28 22:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-28 14:25 . 2012-08-28 14:25 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-28 14:25 . 2012-08-28 14:25 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-26 21:00 . 2012-08-26 23:37 -------- d-----w- c:\program files\Google
2012-08-24 14:56 . 2012-08-24 14:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-24 14:55 . 2012-08-24 14:54 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-08-24 14:55 . 2012-08-24 14:54 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-24 14:54 . 2012-08-24 14:54 -------- d-----w- c:\program files (x86)\Java
2012-08-23 20:37 . 2012-08-23 20:37 -------- d-----w- c:\program files (x86)\VideoLAN
2012-08-23 20:29 . 1998-07-31 22:00 65024 ----a-w- c:\windows\Icg32.dll
2012-08-23 20:28 . 1997-08-26 17:06 315904 ----a-w- c:\windows\IsUninst.exe
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\pciii
2012-08-23 20:25 . 2012-08-23 20:25 -------- d-----w- C:\payroll
2012-08-23 20:24 . 2012-08-27 15:07 -------- d-----w- c:\windows\AutoKMS
2012-08-23 20:22 . 2012-08-23 20:22 -------- d-----w- c:\program files (x86)\ImgBurn
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\windows\PCHEALTH
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft Sync Framework
2012-08-23 20:06 . 2012-08-23 20:06 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2012-08-23 20:04 . 2012-08-23 20:04 -------- d-----w- c:\program files\Microsoft Office
2012-08-23 20:02 . 2012-08-23 20:02 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-08-23 20:01 . 2012-08-23 20:15 -------- d-----w- c:\programdata\Microsoft Help
2012-08-23 20:00 . 2012-08-23 20:00 -------- d-----r- C:\MSOCache
2012-08-23 19:39 . 2012-08-23 19:45 -------- d-----w- c:\programdata\Nero
2012-08-23 19:38 . 2012-08-23 19:39 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-08-23 19:38 . 2012-08-23 19:45 -------- d-----w- c:\program files (x86)\Nero
2012-08-23 19:37 . 2012-08-23 16:46 -------- d-----w- c:\windows\Panther
2012-08-23 19:32 . 2012-08-23 19:58 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-08-23 19:32 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\SysWow64\D3DCompiler_42.dll
2012-08-23 19:32 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\SysWow64\D3DX9_42.dll
2012-08-23 19:31 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-08-23 19:31 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\SysWow64\d3dx9_35.dll
2012-08-23 19:30 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\SysWow64\d3dx9_34.dll
2012-08-23 19:28 . 2012-08-23 19:28 -------- d-----w- c:\program files\Common Files\Intuit
2012-08-23 19:24 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2012-08-23 19:23 . 2012-08-23 20:29 -------- d-----w- c:\program files (x86)\Intuit
2012-08-23 19:23 . 2012-08-23 19:34 -------- d-----w- c:\programdata\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\program files (x86)\Common Files\Intuit
2012-08-23 19:23 . 2012-08-23 19:23 -------- d-----w- c:\programdata\Nuance
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\SQL Anywhere 11
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\programdata\COMMON FILES
2012-08-23 19:22 . 2012-08-26 17:29 -------- d-----w- c:\windows\SysWow64\Macromed
2012-08-23 19:22 . 2012-08-23 19:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-08-23 19:21 . 2012-08-23 20:29 -------- d-----w- c:\windows\Intuit
2012-08-23 19:19 . 2012-08-23 19:19 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2012-08-23 19:14 . 2012-08-23 19:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-08-23 19:08 . 2012-08-24 05:02 -------- d-----w- C:\lotus
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\SysWow64\drivers\mcdbus.sys
2012-08-23 19:07 . 2009-02-24 23:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-08-23 19:07 . 2012-08-23 19:08 -------- d-----w- c:\program files (x86)\MagicDisc
2012-08-23 19:07 . 2012-08-23 19:07 -------- d-----w- c:\program files (x86)\MagicISO
2012-08-23 17:28 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C391E945-9208-43E0-8939-93F65DEF8FC5}\mpengine.dll
2012-08-23 17:25 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-08-23 17:25 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-08-23 17:25 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-08-23 17:25 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-23 17:25 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-08-23 17:25 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-08-23 17:23 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-23 17:21 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-08-23 17:20 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-08-23 17:20 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-08-23 17:20 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-08-23 17:14 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-08-23 17:14 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-08-23 17:09 . 2012-08-27 15:09 -------- d-----w- c:\users\Kencheung
2012-08-23 16:57 . 2012-08-23 16:57 -------- d-----w- c:\programdata\ATI
2012-08-23 16:56 . 2012-08-23 16:56 0 ----a-w- c:\windows\ativpsrm.bin
2012-08-23 16:53 . 2012-08-23 16:55 -------- d-----w- c:\program files\ATI Technologies
2012-08-23 16:53 . 2012-08-23 16:53 -------- d-----w- c:\program files\ATI
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\program files (x86)\InstallShield Installation Information
2012-08-23 16:51 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-08-23 16:51 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-08-23 16:51 . 2012-08-23 16:51 -------- d-----w- c:\windows\tiinst
2012-08-23 16:50 . 2012-08-28 14:25 -------- d-sh--w- c:\windows\Installer
2012-08-23 16:47 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-08-23 16:47 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-08-23 16:47 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-08-23 16:47 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-08-23 16:47 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-08-23 16:47 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-08-23 16:47 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-08-23 16:47 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-08-23 16:47 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-08-23 16:46 . 2012-08-27 15:07 -------- d-----w- c:\users\Fayannie
2012-08-23 16:46 . 2012-08-23 16:46 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-27_19.11.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-28 22:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-27 19:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 22:21 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-27 19:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 22:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-08-28 22:04 22864 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-28 22:04 36616 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-08-23 18:43 . 2012-08-28 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-23 18:43 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-08-23 18:43 . 2012-08-27 15:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-23 18:43 . 2012-08-28 21:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-28 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-27 15:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-23 19:06 . 2012-08-28 22:04 4022 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1003_UserData.bin
+ 2012-08-23 16:58 . 2012-08-28 21:25 5588 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2181937301-3688011938-356138974-1000_UserData.bin
- 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-28 22:20 . 2012-08-28 22:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-28 22:20 . 2012-08-28 22:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-27 19:08 . 2012-08-27 19:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-28 14:25 . 2012-08-28 14:25 351904 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
+ 2012-08-28 14:25 . 2012-08-28 14:25 424096 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.dll
+ 2012-08-28 14:25 . 2012-08-28 14:25 257696 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- 2009-07-14 02:36 . 2012-08-27 18:21 659818 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-28 22:07 659818 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-08-27 18:21 120714 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-08-28 22:07 120714 c:\windows\system32\perfc009.dat
- 2009-07-14 04:46 . 2012-08-23 22:02 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-08-28 15:46 131232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-08-28 22:20 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-27 19:07 398020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-08-23 19:33 . 2012-08-26 22:42 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
+ 2012-08-23 19:33 . 2012-08-28 15:33 795764 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-12288.dat
- 2009-07-14 04:45 . 2012-08-23 20:20 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-08-28 15:34 7087352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-08-23 21:46 . 2012-08-28 22:20 1065316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1003-8192.dat
+ 2012-08-25 00:35 . 2012-08-28 22:02 1632268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2181937301-3688011938-356138974-1000-8192.dat
+ 2011-04-16 13:44 . 2011-04-16 13:44 2770944 c:\windows\Installer\2e96b0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\users\Kencheung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-8-23 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 257696]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 31124344]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-02-18 462632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-28 14:25]
.
2012-08-28 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2012-08-23 20:24]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 65.183.0.76 65.183.0.86
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2012-08-28 17:25:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-28 22:25
ComboFix2.txt 2012-08-28 21:17
ComboFix3.txt 2012-08-28 15:39
ComboFix4.txt 2012-08-27 19:15
.
Pre-Run: 25,371,455,488 bytes free
Post-Run: 25,019,043,840 bytes free
.
- - End Of File - - 5549451F5FF66341D35A22DCBC9897CE

johnb35 · Aug 29, 2012

You are good to go now.

paulcheung · Aug 29, 2012

Thank you John,
Do you have any idea which or what program cause that issue. my partner went to Facebook and I installed yahoo Messenger and went there. could these two place cause it or they have nothing to do with it?
Thank you again

johnb35 · Aug 29, 2012

Nothing to do with it. Those 2 entries usually appear when you have had a decent infection.

paulcheung · Aug 29, 2012

Ok Thank you.

A question about the Combofix report.

paulcheung

Active Member

johnb35

Administrator

paulcheung

Active Member

paulcheung

Active Member

johnb35

Administrator

paulcheung

Active Member

johnb35

Administrator

paulcheung

Active Member

johnb35

Administrator

paulcheung

Active Member