Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recieving BSOD and MSERT reporting rovnix.d


  • This topic is locked This topic is locked
31 replies to this topic

#1 ekartoon

ekartoon

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 20 June 2013 - 12:36 AM

Hi All

I have been directed here from

http://www.bleepingcomputer.com/forums/t/498549/recieving-bsod-and-msert-reporting-rovnixd/

I have run DDS and have the log files below. as mentioned in the above post I am having random BSOD. Also my firefox is displaying random pop up ads in the bottom corner of the window over the site I am viewing. After I scanned the machine with MSERT it reported I had trojan:DOS/rovnix.d. MSERT reports that it has completed a partial remove. MS recommends a re install of windows. I was hoping to avoid that any help would be greatly appreciated.

 

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.25.2
Run by erick at 15:20:56 on 2013-06-20
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8147.6729 [GMT 10:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\System32\Antex\DMX8Helper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe
C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Everything\Everything.exe
C:\Program Files (x86)\FTR\ForTheRecord\FTRSearchFolders.exe
C:\Program Files (x86)\NCH Swift Sound\Pedable\pedable.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\7-Zip\7zFM.exe
C:\Windows\system32\mstsc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [DymoQuickPrint] "C:\Program Files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
mRun: [FTR Search Folders] C:\Program Files (x86)\FTR\ForTheRecord\FTRSearchFolders.exe
mRun: [DLSService] "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Pedable] "C:\Program Files (x86)\NCH Swift Sound\Pedable\pedable.exe" -logon
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\erick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
TCP: NameServer = 10.152.99.4
TCP: Interfaces\{530A25B5-B52F-4AB6-B85A-BCF332AAC073} : DHCPNameServer = 10.152.99.4
TCP: Interfaces\{E2968DBF-EF5B-40C9-934D-3E7ACE20A635} : DHCPNameServer = 10.152.99.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
x64-Run: [DMX8Helper.exe] C:\Windows\System32\Antex\DMX8Helper.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 analytics.microsoft.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\erick\AppData\Roaming\Mozilla\Firefox\Profiles\t1lxknww.default-1371617594933\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-2-19 16152]
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2013-2-18 25056]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-11-10 204288]
R2 DymoPnpService;DYMO PnP Service;C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2013-3-5 33072]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-2-18 3560288]
R2 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2012-11-20 1696824]
R3 dfmirage;dfmirage;C:\Windows\System32\drivers\dfmirage.sys [2013-2-20 36432]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-2-19 355096]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-2-19 786200]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 AE_USBBUS;Antex Electronics USB Audio Bus Driver;C:\Windows\System32\drivers\ae_USBBUS.sys [2008-12-2 67072]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 FTRReporterService;FTR Reporter Service;"C:\Program Files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe" --> C:\Program Files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe [?]
S2 WSWNDA3100v2;WSWNDA3100v2;C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [2013-2-18 303360]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\System32\drivers\bcmwlhigh664.sys [2013-2-18 1256192]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 DMX8FAMILY;Antex Electronics USB Adapter Driver (AVS);C:\Windows\System32\drivers\ae_usb.sys [2008-12-2 22016]
S3 FTR Recorder Cleaner;FTR Recorder Cleaner;"C:\Program Files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe" --> C:\Program Files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe [?]
S3 FTR Recorder Manager;FTR Recorder Manager;"C:\Program Files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe" --> C:\Program Files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe [?]
S3 FTR Replicator Service;FTR Replicator Service;"C:\Program Files (x86)\FTR\ForTheRecord\FTRReplicator.exe" --> C:\Program Files (x86)\FTR\ForTheRecord\FTRReplicator.exe [?]
S3 FTRSessionFiles;FTRSessionFiles;"C:\Program Files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe" --> C:\Program Files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-2-18 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-18 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-2-18 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-18 1255736]
.
=============== Created Last 30 ================
.
2013-06-20 00:51:17    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-20 00:36:38    --------    d-----w-    C:\Program Files (x86)\ESET
2013-06-19 05:35:42    --------    d-----w-    C:\$RECYCLE.BIN
2013-06-19 05:22:17    98816    ----a-w-    C:\Windows\sed.exe
2013-06-19 05:22:17    256000    ----a-w-    C:\Windows\PEV.exe
2013-06-19 05:22:17    208896    ----a-w-    C:\Windows\MBR.exe
2013-06-19 05:22:16    --------    d-----w-    C:\ComboFix
2013-06-19 02:44:44    --------    d-----w-    C:\Program Files\WhoCrashed
2013-06-19 01:50:30    --------    d-----w-    C:\Users\erick\AppData\Roaming\Glarysoft
2013-06-19 01:50:30    --------    d-----w-    C:\Program Files (x86)\Glary Utilities
2013-06-19 01:26:45    --------    d-----w-    C:\ProgramData\HitmanPro
2013-06-18 07:46:53    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-18 07:26:44    --------    d-----w-    C:\Program Files\Trend Micro
2013-06-18 07:25:44    --------    d--h--w-    C:\Windows\AxInstSV
2013-06-18 06:05:15    --------    d-----w-    C:\ProgramData\aa7dbc
2013-06-18 05:38:14    --------    d-----w-    C:\Program Files (x86)\XML Notepad 2007
2013-06-05 05:18:48    --------    d-----w-    C:\SMPTE
2013-06-05 05:12:05    --------    d-----w-    C:\Program Files (x86)\TimecodeFG
2013-05-31 05:38:17    --------    d-----w-    C:\Program Files (x86)\NCH Swift Sound
2013-05-31 05:25:19    --------    d-----w-    C:\Program Files (x86)\BWF Widget
2013-05-31 05:25:16    249856    ------w-    C:\Windows\Setup1.exe
2013-05-31 05:25:15    73216    ----a-w-    C:\Windows\ST6UNST.EXE
2013-05-31 03:24:18    --------    d-----w-    C:\Users\erick\AppData\Local\Apple Computer
2013-05-31 03:13:03    159744    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-31 03:13:03    159744    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-31 03:13:03    159744    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-31 03:13:03    159744    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-31 03:13:03    159744    ----a-w-    C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-05-31 03:12:29    --------    d-----w-    C:\Users\erick\AppData\Local\Apple
2013-05-31 02:23:21    --------    d-----w-    C:\Program Files (x86)\NCH Software
2013-05-31 02:23:19    --------    d-----w-    C:\Users\erick\AppData\Roaming\NCH Software
2013-05-27 10:01:24    --------    d-----w-    C:\Users\erick\AppData\Local\Sanford,_L.P
2013-05-27 10:01:11    --------    d-----w-    C:\Users\erick\AppData\Local\DYMO
2013-05-27 10:00:15    --------    d-----w-    C:\Program Files\Bonjour
2013-05-27 10:00:15    --------    d-----w-    C:\Program Files (x86)\Bonjour
2013-05-27 09:59:39    --------    d-----w-    C:\Program Files (x86)\DYMO
2013-05-27 09:59:38    --------    d-----w-    C:\ProgramData\DYMO
2013-05-24 00:22:24    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
.
==================== Find3M  ====================
.
2013-06-20 00:51:15    867240    ----a-w-    C:\Windows\SysWow64\npDeployJava1.dll
2013-06-20 00:51:15    789416    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-05-20 00:18:36    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 00:18:36    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-30 17:59:12    94208    ----a-w-    C:\Windows\SysWow64\QuickTimeVR.qtx
2013-04-30 17:59:12    69632    ----a-w-    C:\Windows\SysWow64\QuickTime.qts
2013-04-04 04:50:32    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-02-18 05:12:07    4096000    ----a-w-    C:\Program Files (x86)\GUT18CE.tmp
2008-12-21 21:46:54    351744    --sha-w-    C:\Windows\SysWOW64\avisynth.dll
2005-07-14 02:31:20    32256    --sh--w-    C:\Windows\SysWOW64\AVSredirect.dll
2004-05-26 12:37:34    719872    --sha-w-    C:\Windows\SysWOW64\devil.dll
2006-05-03 01:06:54    163328    --sha-r-    C:\Windows\SysWOW64\flvDX.dll
2004-01-24 14:00:00    70656    --sh--w-    C:\Windows\SysWOW64\i420vfw.dll
2007-02-21 02:47:16    31232    --sha-r-    C:\Windows\SysWOW64\msfDX.dll
2008-03-16 04:30:52    216064    --sha-r-    C:\Windows\SysWOW64\nbDX.dll
2010-01-06 13:00:00    107520    --sha-r-    C:\Windows\SysWOW64\TAKDSDecoder.dll
2012-10-05 09:54:00    188416    --sha-r-    C:\Windows\SysWOW64\winDCE32.dll
2004-01-24 14:00:00    70656    --sh--w-    C:\Windows\SysWOW64\yv12vfw.dll
.
============= FINISH: 15:21:08.38 ===============
 

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 20 June 2013 - 01:45 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 20 June 2013 - 08:43 PM

Hi There

Thanks so much. Here is what i have from Mbar im not sure if its complete as the PC is BSODing me quite often.

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org

Database version: v2013.06.20.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
erick :: LT101046-E [administrator]

20/06/2013 5:53:00 PM
-log-2013-06-20 (17-53-00).txt

Scan type: Quick scan
Scan options enabled: PUM | P2P
Scan options disabled: Anti-Rootkit | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | Deep Anti-Rootkit Scan | PUP
Objects scanned: 0
Time elapsed:

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 20 June 2013 - 11:56 PM

Combofix


Combofix should only be run when adviced by a team member!


Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 21 June 2013 - 02:52 AM

Hi There

Ok i ran that (had to run it twice didnt work forst time) and below is the contents of the log. Also please not that tomoroow is the weeked here and this is a PC at work so i will not be able to do anything until monday but i will come back so please dont close this thread :)

 

ComboFix 13-06-21.01 - erick 21/06/2013  17:27:50.3.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8147.6744 [GMT 10:00]
Running from: c:\users\erick\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\erick\AppData\Local\Temp\_MEI7762\_ctypes.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\_elementtree.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\_hashlib.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\_multiprocessing.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\_socket.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\_ssl.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\pyexpat.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\pysqlite2._sqlite.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\python27.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\pythoncom27.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\PyWinTypes27.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\select.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\unicodedata.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32api.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32com.shell.shell.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32crypt.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32event.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32file.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32inet.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32pdh.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32process.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32profile.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32security.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\win32ts.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\windows._cacheinvalidation.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._controls_.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._core_.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._gdi_.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._html2.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._misc_.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._windows_.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wx._wizard.pyd
c:\users\erick\AppData\Local\Temp\_MEI7762\wxbase294u_net_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\wxbase294u_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_adv_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_core_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_html_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-21 07:31 . 2013-06-21 07:31    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-21 07:31 . 2013-06-21 07:31    --------    d-----w-    c:\users\LT101046-E\AppData\Local\temp
2013-06-21 01:08 . 2013-06-21 02:09    162008    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-21 01:07 . 2013-06-21 01:07    36680    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-06-20 00:52 . 2013-06-20 00:52    --------    d-----w-    c:\users\erick\AppData\Roaming\Oracle
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\windows\Sun
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-06-20 00:51 . 2013-06-20 00:51    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Java
2013-06-20 00:50 . 2013-06-20 00:50    --------    d-----w-    c:\programdata\McAfee
2013-06-20 00:36 . 2013-06-20 00:36    --------    d-----w-    c:\program files (x86)\ESET
2013-06-19 04:39 . 2013-06-19 04:40    --------    d-----w-    c:\users\Administrator
2013-06-19 02:44 . 2013-06-19 06:40    --------    d-----w-    c:\program files\WhoCrashed
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\program files (x86)\Glary Utilities
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\users\erick\AppData\Roaming\Glarysoft
2013-06-19 01:26 . 2013-06-19 01:37    --------    d-----w-    c:\programdata\HitmanPro
2013-06-18 07:46 . 2013-06-21 02:10    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-18 07:26 . 2013-06-18 07:26    --------    d-----w-    c:\program files\Trend Micro
2013-06-18 07:25 . 2013-06-18 07:26    --------    d--h--w-    c:\windows\AxInstSV
2013-06-18 06:05 . 2013-06-18 06:06    --------    d-----w-    c:\programdata\aa7dbc
2013-06-18 05:38 . 2013-06-19 07:02    --------    d-----w-    c:\program files (x86)\XML Notepad 2007
2013-06-06 00:29 . 2013-06-06 00:29    --------    d-----w-    c:\users\erick\AppData\Roaming\Apple Computer
2013-06-05 05:18 . 2013-06-05 05:32    --------    d-----w-    C:\SMPTE
2013-06-05 05:12 . 2013-06-05 05:12    --------    d-----w-    c:\program files (x86)\TimecodeFG
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\programdata\NCH Swift Sound
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\program files (x86)\NCH Swift Sound
2013-05-31 05:25 . 2013-05-31 05:33    --------    d-----w-    c:\program files (x86)\BWF Widget
2013-05-31 05:25 . 2013-05-31 05:25    249856    ------w-    c:\windows\Setup1.exe
2013-05-31 05:25 . 2013-05-31 05:25    73216    ----a-w-    c:\windows\ST6UNST.EXE
2013-05-31 04:45 . 2013-05-31 04:45    --------    d-----w-    c:\users\erick\AppData\Roaming\Media Player Classic
2013-05-31 03:24 . 2013-05-31 03:24    --------    d-----w-    c:\users\erick\AppData\Local\Apple Computer
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-05-31 03:12 . 2013-05-31 03:20    --------    d-----w-    c:\programdata\Apple Computer
2013-05-31 03:12 . 2013-05-31 03:13    --------    d-----w-    c:\program files (x86)\QuickTime
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Common Files\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\users\erick\AppData\Local\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Apple Software Update
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\programdata\NCH Software
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\program files (x86)\NCH Software
2013-05-31 02:23 . 2013-05-31 05:38    --------    d-----w-    c:\users\erick\AppData\Roaming\NCH Software
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\Sanford,_L.P
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\DYMO
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\programdata\Apple
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files\Bonjour
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files (x86)\Bonjour
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\program files (x86)\DYMO
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\programdata\DYMO
2013-05-24 00:22 . 2013-05-24 00:22    262552    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-20 00:51 . 2013-02-18 05:04    867240    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-06-20 00:51 . 2013-02-18 05:04    789416    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-05-20 00:18 . 2013-02-18 05:03    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 00:18 . 2013-02-18 05:03    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-30 17:59 . 2013-04-30 17:59    94208    ----a-w-    c:\windows\SysWow64\QuickTimeVR.qtx
2013-04-30 17:59 . 2013-04-30 17:59    69632    ----a-w-    c:\windows\SysWow64\QuickTime.qts
2013-04-04 04:50 . 2013-02-18 05:23    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-18 05:12 . 2013-02-18 05:11    4096000    ----a-w-    c:\program files (x86)\GUT18CE.tmp
2008-12-21 21:46    351744    --sha-w-    c:\windows\SysWOW64\avisynth.dll
2005-07-14 02:31    32256    --sh--w-    c:\windows\SysWOW64\AVSredirect.dll
2004-05-26 12:37    719872    --sha-w-    c:\windows\SysWOW64\devil.dll
2006-05-03 01:06    163328    --sha-r-    c:\windows\SysWOW64\flvDX.dll
2004-01-24 14:00    70656    --sh--w-    c:\windows\SysWOW64\i420vfw.dll
2007-02-21 02:47    31232    --sha-r-    c:\windows\SysWOW64\msfDX.dll
2008-03-16 04:30    216064    --sha-r-    c:\windows\SysWOW64\nbDX.dll
2010-01-06 13:00    107520    --sha-r-    c:\windows\SysWOW64\TAKDSDecoder.dll
2012-10-05 09:54    188416    --sha-r-    c:\windows\SysWOW64\winDCE32.dll
2004-01-24 14:00    70656    --sh--w-    c:\windows\SysWOW64\yv12vfw.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-07 17707624]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-06-06 19676256]
"DymoQuickPrint"="c:\program files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2013-03-05 1866544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]
"Everything"="c:\program files (x86)\Everything\Everything.exe" [2013-05-07 947712]
"FTR Search Folders"="c:\program files (x86)\FTR\ForTheRecord\FTRSearchFolders.exe" [2012-12-06 94208]
"DLSService"="c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe" [BU]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-04-30 421888]
"Pedable"="c:\program files (x86)\NCH Swift Sound\Pedable\pedable.exe" [2013-05-31 282628]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
c:\users\erick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-11-5 41160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNDA3100v2 Genie.lnk - c:\program files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2013-2-18 8453376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2365483007-2363724432-2061012144-1110\Scripts\Logon\0\0]
"Script"=\\syd.lt1.biz\netlogon\Admin_drive_mapping.bat
.
R2 AE_USBBUS;Antex Electronics USB Audio Bus Driver;c:\windows\system32\drivers\ae_USBBUS.sys;c:\windows\SYSNATIVE\drivers\ae_USBBUS.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 FTRReporterService;FTR Reporter Service;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe [x]
R2 WSWNDA3100v2;WSWNDA3100v2;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [x]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys;c:\windows\SYSNATIVE\DRIVERS\bcmwlhigh664.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 DMX8FAMILY;Antex Electronics USB Adapter Driver (AVS);c:\windows\system32\DRIVERS\ae_usb.sys;c:\windows\SYSNATIVE\DRIVERS\ae_usb.sys [x]
R3 FTR Recorder Cleaner;FTR Recorder Cleaner;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe [x]
R3 FTR Recorder Manager;FTR Recorder Manager;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe [x]
R3 FTR Replicator Service;FTR Replicator Service;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe [x]
R3 FTRSessionFiles;FTRSessionFiles;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\drivers\mbamswissarmy.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys;c:\windows\SYSNATIVE\DRIVERS\scmndisp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe;c:\program files\TightVNC\tvnserver.exe [x]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys;c:\windows\SYSNATIVE\DRIVERS\dfmirage.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-19 05:58    1165776    ----a-w-    c:\program files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2012-11-20 1696824]
"DMX8Helper.exe"="c:\windows\system32\Antex\DMX8Helper.exe" [2008-12-02 286208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.152.99.4
FF - ProfilePath - c:\users\erick\AppData\Roaming\Mozilla\Firefox\Profiles\t1lxknww.default-1371617594933\
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2013-06-21  17:33:49 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-21 07:33
ComboFix2.txt  2013-06-19 05:37
ComboFix3.txt  2013-06-18 08:02
.
Pre-Run: 713,936,506,880 bytes free
Post-Run: 714,400,104,448 bytes free
.
- - End Of File - - 526925D8244786A29BA60486C4E25D7B
A36C5E4F47E84449FF07ED3517B43A31
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 21 June 2013 - 03:00 AM

OK, I won´t close it.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 23 June 2013 - 08:02 PM

Here you go :)

=====================================

ComboFix 13-06-22.01 - erick 24/06/2013  10:51:10.4.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8147.6642 [GMT 10:00]
Running from: c:\users\erick\Desktop\ComboFix.exe
Command switches used :: c:\users\erick\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\erick\AppData\Local\Temp\_MEI29602\_ctypes.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\_elementtree.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\_hashlib.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\_multiprocessing.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\_socket.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\_ssl.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\pyexpat.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\pysqlite2._sqlite.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\python27.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\pythoncom27.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\PyWinTypes27.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\select.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\unicodedata.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32api.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32com.shell.shell.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32crypt.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32event.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32file.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32inet.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32pdh.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32process.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32profile.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32security.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\win32ts.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\windows._cacheinvalidation.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._controls_.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._core_.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._gdi_.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._html2.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._misc_.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._windows_.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wx._wizard.pyd
c:\users\erick\AppData\Local\Temp\_MEI29602\wxbase294u_net_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\wxbase294u_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_adv_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_core_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_html_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-24 to 2013-06-24  )))))))))))))))))))))))))))))))
.
.
2013-06-24 00:54 . 2013-06-24 00:54    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-24 00:54 . 2013-06-24 00:54    --------    d-----w-    c:\users\LT101046-E\AppData\Local\temp
2013-06-21 01:08 . 2013-06-21 02:09    162008    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-21 01:07 . 2013-06-21 01:07    36680    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-06-20 00:52 . 2013-06-20 00:52    --------    d-----w-    c:\users\erick\AppData\Roaming\Oracle
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\windows\Sun
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-06-20 00:51 . 2013-06-20 00:51    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Java
2013-06-20 00:50 . 2013-06-20 00:50    --------    d-----w-    c:\programdata\McAfee
2013-06-20 00:36 . 2013-06-20 00:36    --------    d-----w-    c:\program files (x86)\ESET
2013-06-19 04:39 . 2013-06-19 04:40    --------    d-----w-    c:\users\Administrator
2013-06-19 02:44 . 2013-06-19 06:40    --------    d-----w-    c:\program files\WhoCrashed
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\program files (x86)\Glary Utilities
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\users\erick\AppData\Roaming\Glarysoft
2013-06-19 01:26 . 2013-06-19 01:37    --------    d-----w-    c:\programdata\HitmanPro
2013-06-18 07:46 . 2013-06-21 02:10    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-18 07:26 . 2013-06-18 07:26    --------    d-----w-    c:\program files\Trend Micro
2013-06-18 07:25 . 2013-06-18 07:26    --------    d--h--w-    c:\windows\AxInstSV
2013-06-18 06:05 . 2013-06-18 06:06    --------    d-----w-    c:\programdata\aa7dbc
2013-06-18 05:38 . 2013-06-19 07:02    --------    d-----w-    c:\program files (x86)\XML Notepad 2007
2013-06-06 00:29 . 2013-06-06 00:29    --------    d-----w-    c:\users\erick\AppData\Roaming\Apple Computer
2013-06-05 05:18 . 2013-06-05 05:32    --------    d-----w-    C:\SMPTE
2013-06-05 05:12 . 2013-06-05 05:12    --------    d-----w-    c:\program files (x86)\TimecodeFG
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\programdata\NCH Swift Sound
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\program files (x86)\NCH Swift Sound
2013-05-31 05:25 . 2013-05-31 05:33    --------    d-----w-    c:\program files (x86)\BWF Widget
2013-05-31 05:25 . 2013-05-31 05:25    249856    ------w-    c:\windows\Setup1.exe
2013-05-31 05:25 . 2013-05-31 05:25    73216    ----a-w-    c:\windows\ST6UNST.EXE
2013-05-31 04:45 . 2013-05-31 04:45    --------    d-----w-    c:\users\erick\AppData\Roaming\Media Player Classic
2013-05-31 03:24 . 2013-05-31 03:24    --------    d-----w-    c:\users\erick\AppData\Local\Apple Computer
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-05-31 03:12 . 2013-05-31 03:20    --------    d-----w-    c:\programdata\Apple Computer
2013-05-31 03:12 . 2013-05-31 03:13    --------    d-----w-    c:\program files (x86)\QuickTime
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Common Files\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\users\erick\AppData\Local\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Apple Software Update
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\programdata\NCH Software
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\program files (x86)\NCH Software
2013-05-31 02:23 . 2013-05-31 05:38    --------    d-----w-    c:\users\erick\AppData\Roaming\NCH Software
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\Sanford,_L.P
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\DYMO
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\programdata\Apple
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files\Bonjour
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files (x86)\Bonjour
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\program files (x86)\DYMO
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\programdata\DYMO
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-20 00:51 . 2013-02-18 05:04    867240    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-06-20 00:51 . 2013-02-18 05:04    789416    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-05-20 00:18 . 2013-02-18 05:03    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 00:18 . 2013-02-18 05:03    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-30 17:59 . 2013-04-30 17:59    94208    ----a-w-    c:\windows\SysWow64\QuickTimeVR.qtx
2013-04-30 17:59 . 2013-04-30 17:59    69632    ----a-w-    c:\windows\SysWow64\QuickTime.qts
2013-04-04 04:50 . 2013-02-18 05:23    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-18 05:12 . 2013-02-18 05:11    4096000    ----a-w-    c:\program files (x86)\GUT18CE.tmp
2008-12-21 21:46    351744    --sha-w-    c:\windows\SysWOW64\avisynth.dll
2005-07-14 02:31    32256    --sh--w-    c:\windows\SysWOW64\AVSredirect.dll
2004-05-26 12:37    719872    --sha-w-    c:\windows\SysWOW64\devil.dll
2006-05-03 01:06    163328    --sha-r-    c:\windows\SysWOW64\flvDX.dll
2004-01-24 14:00    70656    --sh--w-    c:\windows\SysWOW64\i420vfw.dll
2007-02-21 02:47    31232    --sha-r-    c:\windows\SysWOW64\msfDX.dll
2008-03-16 04:30    216064    --sha-r-    c:\windows\SysWOW64\nbDX.dll
2010-01-06 13:00    107520    --sha-r-    c:\windows\SysWOW64\TAKDSDecoder.dll
2012-10-05 09:54    188416    --sha-r-    c:\windows\SysWOW64\winDCE32.dll
2004-01-24 14:00    70656    --sh--w-    c:\windows\SysWOW64\yv12vfw.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\aa7dbc ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-07 17707624]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-06-06 19676256]
"DymoQuickPrint"="c:\program files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2013-03-05 1866544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]
"Everything"="c:\program files (x86)\Everything\Everything.exe" [2013-05-07 947712]
"FTR Search Folders"="c:\program files (x86)\FTR\ForTheRecord\FTRSearchFolders.exe" [2012-12-06 94208]
"DLSService"="c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe" [BU]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-04-30 421888]
"Pedable"="c:\program files (x86)\NCH Swift Sound\Pedable\pedable.exe" [2013-05-31 282628]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
c:\users\erick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-11-5 41160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNDA3100v2 Genie.lnk - c:\program files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2013-2-18 8453376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2365483007-2363724432-2061012144-1110\Scripts\Logon\0\0]
"Script"=\\syd.lt1.biz\netlogon\Admin_drive_mapping.bat
.
R2 AE_USBBUS;Antex Electronics USB Audio Bus Driver;c:\windows\system32\drivers\ae_USBBUS.sys;c:\windows\SYSNATIVE\drivers\ae_USBBUS.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 FTRReporterService;FTR Reporter Service;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe [x]
R2 WSWNDA3100v2;WSWNDA3100v2;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [x]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys;c:\windows\SYSNATIVE\DRIVERS\bcmwlhigh664.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 DMX8FAMILY;Antex Electronics USB Adapter Driver (AVS);c:\windows\system32\DRIVERS\ae_usb.sys;c:\windows\SYSNATIVE\DRIVERS\ae_usb.sys [x]
R3 FTR Recorder Cleaner;FTR Recorder Cleaner;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe [x]
R3 FTR Recorder Manager;FTR Recorder Manager;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe [x]
R3 FTR Replicator Service;FTR Replicator Service;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe [x]
R3 FTRSessionFiles;FTRSessionFiles;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\drivers\mbamswissarmy.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys;c:\windows\SYSNATIVE\DRIVERS\scmndisp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe;c:\program files\TightVNC\tvnserver.exe [x]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys;c:\windows\SYSNATIVE\DRIVERS\dfmirage.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-19 05:58    1165776    ----a-w-    c:\program files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2012-11-20 1696824]
"DMX8Helper.exe"="c:\windows\system32\Antex\DMX8Helper.exe" [2008-12-02 286208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.152.99.4
FF - ProfilePath - c:\users\erick\AppData\Roaming\Mozilla\Firefox\Profiles\t1lxknww.default-1371617594933\
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2013-06-24  10:57:10 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-24 00:57
ComboFix2.txt  2013-06-19 05:37
ComboFix3.txt  2013-06-18 08:02
.
Pre-Run: 715,577,786,368 bytes free
Post-Run: 715,412,549,632 bytes free
.
- - End Of File - - A30FD8FBF657398A3B4DA0813BAAD664
A36C5E4F47E84449FF07ED3517B43A31
 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 24 June 2013 - 10:42 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 24 June 2013 - 08:19 PM

Ok that has been done. 2 things.

firstly everytime i run combo fix and the pc reboots i wait for combe fix to finish. once its finished i go and launch any app and i get an error reading

'illegal operation attemted on a registry key that has been marked for deletion'. It happen for no matter what app i try and run.

secondly this time after combo fix rebooted it asked to upload malware files to the server for futher analysis.

Below is the log

========================================

ComboFix 13-06-22.01 - erick 25/06/2013  10:57:44.5.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8147.6845 [GMT 10:00]
Running from: c:\users\erick\Desktop\ComboFix.exe
Command switches used :: c:\users\erick\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\erick\AppData\Local\Temp\_MEI33762\_ctypes.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\_elementtree.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\_hashlib.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\_multiprocessing.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\_socket.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\_ssl.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\pyexpat.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\pysqlite2._sqlite.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\python27.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\pythoncom27.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\PyWinTypes27.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\select.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\unicodedata.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32api.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32com.shell.shell.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32crypt.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32event.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32file.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32inet.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32pdh.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32process.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32profile.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32security.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\win32ts.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\windows._cacheinvalidation.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._controls_.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._core_.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._gdi_.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._html2.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._misc_.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._windows_.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wx._wizard.pyd
c:\users\erick\AppData\Local\Temp\_MEI33762\wxbase294u_net_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\wxbase294u_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_adv_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_core_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_html_vc90.dll
c:\users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-25 to 2013-06-25  )))))))))))))))))))))))))))))))
.
.
2013-06-25 01:01 . 2013-06-25 01:01    --------    d-----w-    c:\users\LT101046-E\AppData\Local\temp
2013-06-25 01:01 . 2013-06-25 01:01    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-21 01:08 . 2013-06-21 02:09    162008    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-21 01:07 . 2013-06-21 01:07    36680    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-06-20 00:52 . 2013-06-20 00:52    --------    d-----w-    c:\users\erick\AppData\Roaming\Oracle
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\windows\Sun
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-06-20 00:51 . 2013-06-20 00:51    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-20 00:51 . 2013-06-20 00:51    --------    d-----w-    c:\program files (x86)\Java
2013-06-20 00:50 . 2013-06-20 00:50    --------    d-----w-    c:\programdata\McAfee
2013-06-20 00:36 . 2013-06-20 00:36    --------    d-----w-    c:\program files (x86)\ESET
2013-06-19 04:39 . 2013-06-19 04:40    --------    d-----w-    c:\users\Administrator
2013-06-19 02:44 . 2013-06-19 06:40    --------    d-----w-    c:\program files\WhoCrashed
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\program files (x86)\Glary Utilities
2013-06-19 01:50 . 2013-06-19 04:16    --------    d-----w-    c:\users\erick\AppData\Roaming\Glarysoft
2013-06-19 01:26 . 2013-06-19 01:37    --------    d-----w-    c:\programdata\HitmanPro
2013-06-18 07:46 . 2013-06-21 02:10    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-18 07:26 . 2013-06-18 07:26    --------    d-----w-    c:\program files\Trend Micro
2013-06-18 07:25 . 2013-06-18 07:26    --------    d--h--w-    c:\windows\AxInstSV
2013-06-18 06:05 . 2013-06-18 06:06    --------    d-----w-    c:\programdata\aa7dbc
2013-06-18 05:38 . 2013-06-19 07:02    --------    d-----w-    c:\program files (x86)\XML Notepad 2007
2013-06-06 00:29 . 2013-06-06 00:29    --------    d-----w-    c:\users\erick\AppData\Roaming\Apple Computer
2013-06-05 05:18 . 2013-06-05 05:32    --------    d-----w-    C:\SMPTE
2013-06-05 05:12 . 2013-06-05 05:12    --------    d-----w-    c:\program files (x86)\TimecodeFG
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\programdata\NCH Swift Sound
2013-05-31 05:38 . 2013-05-31 05:40    --------    d-----w-    c:\program files (x86)\NCH Swift Sound
2013-05-31 05:25 . 2013-05-31 05:33    --------    d-----w-    c:\program files (x86)\BWF Widget
2013-05-31 05:25 . 2013-05-31 05:25    249856    ------w-    c:\windows\Setup1.exe
2013-05-31 05:25 . 2013-05-31 05:25    73216    ----a-w-    c:\windows\ST6UNST.EXE
2013-05-31 04:45 . 2013-05-31 04:45    --------    d-----w-    c:\users\erick\AppData\Roaming\Media Player Classic
2013-05-31 03:24 . 2013-05-31 03:24    --------    d-----w-    c:\users\erick\AppData\Local\Apple Computer
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2013-05-31 03:13 . 2013-05-31 03:13    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2013-05-31 03:12 . 2013-05-31 03:20    --------    d-----w-    c:\programdata\Apple Computer
2013-05-31 03:12 . 2013-05-31 03:13    --------    d-----w-    c:\program files (x86)\QuickTime
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Common Files\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\users\erick\AppData\Local\Apple
2013-05-31 03:12 . 2013-05-31 03:12    --------    d-----w-    c:\program files (x86)\Apple Software Update
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\programdata\NCH Software
2013-05-31 02:23 . 2013-05-31 02:23    --------    d-----w-    c:\program files (x86)\NCH Software
2013-05-31 02:23 . 2013-05-31 05:38    --------    d-----w-    c:\users\erick\AppData\Roaming\NCH Software
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\Sanford,_L.P
2013-05-27 10:01 . 2013-05-27 10:01    --------    d-----w-    c:\users\erick\AppData\Local\DYMO
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\programdata\Apple
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files\Bonjour
2013-05-27 10:00 . 2013-05-27 10:00    --------    d-----w-    c:\program files (x86)\Bonjour
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\program files (x86)\DYMO
2013-05-27 09:59 . 2013-05-27 09:59    --------    d-----w-    c:\programdata\DYMO
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-20 00:51 . 2013-02-18 05:04    867240    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-06-20 00:51 . 2013-02-18 05:04    789416    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-05-20 00:18 . 2013-02-18 05:03    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-20 00:18 . 2013-02-18 05:03    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-30 17:59 . 2013-04-30 17:59    94208    ----a-w-    c:\windows\SysWow64\QuickTimeVR.qtx
2013-04-30 17:59 . 2013-04-30 17:59    69632    ----a-w-    c:\windows\SysWow64\QuickTime.qts
2013-04-04 04:50 . 2013-02-18 05:23    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-02-18 05:12 . 2013-02-18 05:11    4096000    ------w-    c:\program files (x86)\GUT18CE.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-02-07 17707624]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-06-06 19676256]
"DymoQuickPrint"="c:\program files (x86)\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2013-03-05 1866544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]
"Everything"="c:\program files (x86)\Everything\Everything.exe" [2013-05-07 947712]
"FTR Search Folders"="c:\program files (x86)\FTR\ForTheRecord\FTRSearchFolders.exe" [2012-12-06 94208]
"DLSService"="c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe" [BU]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-04-30 421888]
"Pedable"="c:\program files (x86)\NCH Swift Sound\Pedable\pedable.exe" [2013-05-31 282628]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
c:\users\erick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-11-5 41160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNDA3100v2 Genie.lnk - c:\program files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2013-2-18 8453376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2365483007-2363724432-2061012144-1110\Scripts\Logon\0\0]
"Script"=\\syd.lt1.biz\netlogon\Admin_drive_mapping.bat
.
R2 AE_USBBUS;Antex Electronics USB Audio Bus Driver;c:\windows\system32\drivers\ae_USBBUS.sys;c:\windows\SYSNATIVE\drivers\ae_USBBUS.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 FTRReporterService;FTR Reporter Service;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe;c:\program files (x86)\FTR\ForTheRecord\FTR.ReporterService.exe [x]
R2 WSWNDA3100v2;WSWNDA3100v2;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [x]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys;c:\windows\SYSNATIVE\DRIVERS\bcmwlhigh664.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 DMX8FAMILY;Antex Electronics USB Adapter Driver (AVS);c:\windows\system32\DRIVERS\ae_usb.sys;c:\windows\SYSNATIVE\DRIVERS\ae_usb.sys [x]
R3 FTR Recorder Cleaner;FTR Recorder Cleaner;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderCleaner.exe [x]
R3 FTR Recorder Manager;FTR Recorder Manager;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe;c:\program files (x86)\FTR\ForTheRecord\FTRRecorderMgr.exe [x]
R3 FTR Replicator Service;FTR Replicator Service;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe;c:\program files (x86)\FTR\ForTheRecord\FTRReplicator.exe [x]
R3 FTRSessionFiles;FTRSessionFiles;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe;c:\program files (x86)\FTR\ForTheRecord\FTRSessionFiles.exe [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\drivers\mbamswissarmy.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys;c:\windows\SYSNATIVE\DRIVERS\scmndisp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe;c:\program files\TightVNC\tvnserver.exe [x]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys;c:\windows\SYSNATIVE\DRIVERS\dfmirage.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-19 05:58    1165776    ----a-w-    c:\program files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
2013-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 05:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-06 13:57    778192    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2012-11-20 1696824]
"DMX8Helper.exe"="c:\windows\system32\Antex\DMX8Helper.exe" [2008-12-02 286208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.152.99.4
FF - ProfilePath - c:\users\erick\AppData\Roaming\Mozilla\Firefox\Profiles\t1lxknww.default-1371617594933\
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2013-06-25  11:06:45 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-25 01:06
ComboFix2.txt  2013-06-24 00:57
ComboFix3.txt  2013-06-19 05:37
ComboFix4.txt  2013-06-18 08:02
.
Pre-Run: 714,962,018,304 bytes free
Post-Run: 714,964,234,240 bytes free
.
- - End Of File - - 2B15B0A68598070827373069827EE005
A36C5E4F47E84449FF07ED3517B43A31
Upload was successful
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 25 June 2013 - 10:08 AM

The message about the registry keys marked for the deletion is normal - please restart your computer to fix this.

Also I´ve told combofix to upload these files for being checked - they´re ok.

 

But other things aren´t...

 

Please post ComboFix-quarantined-files.txt


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 25 June 2013 - 07:52 PM

I have had a look around my pc but cannot seem to find thats file. any idea where it might be located?

Cheers



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 26 June 2013 - 12:31 PM

oops, sorry.

 

C:\qoobox


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 26 June 2013 - 07:48 PM

Thanks for that. Just letting you know as well that it is still blue screening

 

2013-06-25 00:57:29 . 2013-06-25 00:57:29        2,780,583 ----a-w-  C:\Qoobox\Quarantine\[156]-Submit_2013-06-25_10.57.29.zip
2013-06-25 00:55:21 . 2013-06-25 00:55:21          154,112 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxbase294u_net_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           91,648 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_webview_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          595,968 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_html_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,234,944 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_adv_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        4,598,272 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxmsw294u_core_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,985,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wxbase294u_vc90.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        2,436,608 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\python27.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           98,816 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32api.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          128,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_elementtree.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           44,032 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_socket.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          557,056 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\pysqlite2._sqlite.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          320,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32com.shell.shell.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           11,264 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32crypt.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           22,528 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32ts.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,022,416 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\windows._cacheinvalidation.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          805,888 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._gdi_.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           70,656 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._html2.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_multiprocessing.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          364,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\pythoncom27.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           17,408 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32profile.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          735,232 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._misc_.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           87,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_ctypes.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          110,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\PyWinTypes27.dll.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          108,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32security.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,175,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._core_.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           25,600 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32pdh.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           35,840 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32process.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          711,680 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_hashlib.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,153,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\_ssl.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          119,808 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32file.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           38,912 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32inet.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          811,008 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._windows_.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          122,368 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._wizard.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21        1,062,400 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\wx._controls_.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          127,488 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\pyexpat.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           10,240 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\select.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21          686,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\unicodedata.pyd.vir
2013-06-25 00:55:21 . 2013-06-25 00:55:21           18,432 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI33762\win32event.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          154,112 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxbase294u_net_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           91,648 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_webview_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,234,944 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_adv_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          595,968 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_html_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        4,598,272 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxmsw294u_core_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        2,436,608 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\python27.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,985,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wxbase294u_vc90.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          557,056 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\pysqlite2._sqlite.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           98,816 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32api.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           22,528 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32ts.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          128,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_elementtree.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           44,032 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_socket.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          320,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32com.shell.shell.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           11,264 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32crypt.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          805,888 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._gdi_.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           70,656 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._html2.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_multiprocessing.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          364,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\pythoncom27.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           17,408 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32profile.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,022,416 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\windows._cacheinvalidation.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          735,232 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._misc_.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           87,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_ctypes.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          110,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\PyWinTypes27.dll.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          108,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32security.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,175,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._core_.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           25,600 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32pdh.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           35,840 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32process.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          711,680 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_hashlib.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,153,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\_ssl.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          119,808 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32file.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           38,912 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32inet.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          811,008 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._windows_.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          122,368 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._wizard.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35        1,062,400 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\wx._controls_.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          127,488 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\pyexpat.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           10,240 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\select.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35          686,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\unicodedata.pyd.vir
2013-06-24 00:34:35 . 2013-06-24 00:34:35           18,432 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI29602\win32event.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          154,112 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxbase294u_net_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           91,648 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_webview_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          595,968 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_html_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,234,944 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_adv_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        4,598,272 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxmsw294u_core_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,985,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wxbase294u_vc90.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        2,436,608 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\python27.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          557,056 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\pysqlite2._sqlite.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           98,816 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32api.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           22,528 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32ts.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          128,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_elementtree.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           44,032 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_socket.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          320,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32com.shell.shell.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           11,264 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32crypt.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          805,888 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._gdi_.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           70,656 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._html2.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_multiprocessing.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          364,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\pythoncom27.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           17,408 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32profile.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,022,416 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\windows._cacheinvalidation.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          735,232 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._misc_.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           87,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_ctypes.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          110,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\PyWinTypes27.dll.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          108,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32security.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,175,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._core_.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,153,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_ssl.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           25,600 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32pdh.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           35,840 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32process.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          711,680 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\_hashlib.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          811,008 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._windows_.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          119,808 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32file.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           38,912 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32inet.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          122,368 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._wizard.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          127,488 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\pyexpat.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           18,432 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\win32event.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31        1,062,400 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\wx._controls_.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31           10,240 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\select.pyd.vir
2013-06-21 07:25:31 . 2013-06-21 07:25:31          686,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI7762\unicodedata.pyd.vir
2013-06-19 05:26:05 . 2013-06-25 01:00:21            7,683 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2013-06-19 04:46:37 . 2013-06-19 04:46:37           91,648 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxmsw294u_webview_vc90.dll.vir
2013-06-19 04:46:37 . 2013-06-19 04:46:37          154,112 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxbase294u_net_vc90.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36          595,968 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxmsw294u_html_vc90.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36        1,234,944 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxmsw294u_adv_vc90.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36        4,598,272 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxmsw294u_core_vc90.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36        1,985,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wxbase294u_vc90.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36        2,436,608 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\python27.dll.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36          128,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_elementtree.pyd.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36           44,032 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_socket.pyd.vir
2013-06-19 04:46:36 . 2013-06-19 04:46:36           98,816 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32api.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35          557,056 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\pysqlite2._sqlite.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:36           22,528 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32ts.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_multiprocessing.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35          320,512 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32com.shell.shell.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35           70,656 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._html2.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35           11,264 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32crypt.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35          805,888 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._gdi_.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35        1,022,416 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\windows._cacheinvalidation.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35           17,408 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32profile.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35           87,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_ctypes.pyd.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35          364,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\pythoncom27.dll.vir
2013-06-19 04:46:35 . 2013-06-19 04:46:35          735,232 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._misc_.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:35          110,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\PyWinTypes27.dll.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          108,544 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32security.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34        1,175,040 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._core_.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34        1,153,024 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_ssl.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34           25,600 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32pdh.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34           35,840 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32process.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          711,680 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\_hashlib.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          811,008 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._windows_.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          122,368 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._wizard.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          119,808 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32file.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34           38,912 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32inet.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34        1,062,400 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\wx._controls_.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          127,488 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\pyexpat.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34          686,080 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\unicodedata.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34           18,432 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\win32event.pyd.vir
2013-06-19 04:46:34 . 2013-06-19 04:46:34           10,240 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Local\Temp\_MEI23482\select.pyd.vir
2013-06-18 08:02:58 . 2013-06-18 08:02:58              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2013-06-18 08:02:30 . 2013-06-25 01:06:16              236 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:30 . 2013-06-25 01:06:16              236 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:30 . 2013-06-25 01:06:16              236 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:30 . 2013-06-25 01:06:16              236 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:28 . 2013-06-18 08:02:28              562 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mbamswissarmy.reg.dat
2013-06-18 08:02:28 . 2013-06-18 08:02:28              562 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mbamchameleon.reg.dat
2013-06-18 08:02:24 . 2013-06-18 08:02:24              179 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-DLSService.reg.dat
2013-06-18 08:02:24 . 2013-06-19 05:36:34              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:23 . 2013-06-19 05:36:34              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:23 . 2013-06-19 05:36:34              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 08:02:23 . 2013-06-19 05:36:34              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}.reg.dat
2013-06-18 07:50:03 . 2013-06-19 05:26:11              842 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2013-06-18 07:45:09 . 2013-06-25 00:56:55              306 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2013-06-18 06:10:17 . 2013-06-18 06:10:53                4 ----a-w-  C:\Qoobox\Quarantine\C\Users\erick\AppData\Roaming\skype.ini.vir
2013-03-15 00:46:09 . 2013-03-15 00:46:09           21,504 ----a-w-  C:\Qoobox\Quarantine\C\Windows\jestertb.dll.vir
2013-02-18 05:14:45 . 2013-02-18 05:14:45            1,016 ----a-w-  C:\Qoobox\Quarantine\C\Users\LT101046-E\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk.vir
2013-02-18 03:47:59 . 2010-02-03 00:20:32           96,784 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\Packet.dll.vir
2013-02-18 03:47:59 . 2010-02-03 00:20:32           53,299 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\pthreadVC.dll.vir
2013-02-18 03:47:59 . 2010-02-03 00:20:32          281,104 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\wpcap.dll.vir
 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 27 June 2013 - 05:19 AM

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 ekartoon

ekartoon
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 29 June 2013 - 09:48 AM

Hi there
No problem I will do this as soon as I get back to the office. It is the weekend here and I will not be back in the office till Wednesday morning please do not close this thread. Also do you believe what I have is cleanable? Should I just reformat my drive? I'm happy to keep trying if you think it is fixable. Thanks again for all your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users