System check Please

MikeW · February 02, 2015, 01:43:31 PM

Hi Corrine
I would like you to check my system after an attack which disabled Mbam.
While using Bing Images a notification popped up from Mbam saying protection disabled.
On checking I found Mbam settings had been changed to exclude C: and a scan should all clear. After checking settings and returning to normal a scan found a trojan. Log attached. Followed up with an Eset online scan which was clear. I have attached all the usual logs and would very much appreciate your expertise.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 02/02/2015
Scan Time: 11:24:48
Logfile: scan.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.02.02
Rootkit Database: v2015.01.14.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 366633
Time Elapsed: 5 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.Agent, C:\Users\User\AppData\Local\Temp\D18A.tmp, 4104, Delete-on-Reboot, [133e38bf0e7b5ed857437a9e04fed62a]

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Generic Host Process, C:\Users\User\AppData\Roaming\Mozilla\svchoste.exe, Quarantined, [b49df0071a6fa591a4f6e73157ab46ba]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Agent, C:\Users\User\AppData\Local\Temp\D18A.tmp, Delete-on-Reboot, [133e38bf0e7b5ed857437a9e04fed62a],

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by User at 13:28:24 on 2015-02-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8147.6188 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k swprv
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?scope=web&mkt=en-GB
mWinlogon: Userinit = userinit.exe,
BHO: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\User\AppData\Roaming\Speckie\bin32\Speckie32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
uRun: [EPSON B42WD Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIGKE.EXE /FU "C:\Windows\TEMP\E_S337E.tmp" /EF "HKCU"
uRun: [EPSON P50 Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIFFE.EXE /FU "C:\Windows\TEMP\E_S4294.tmp" /EF "HKCU"
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
uPolicies-Explorer: TaskbarNoNotification = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\User\AppData\Roaming\Speckie\bin32\Speckie32.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{F3B6C9A9-E893-441D-A95E-CFF5C1606290} : NameServer = 194.72.9.34,4.2.2.3
TCP: Interfaces\{F3B6C9A9-E893-441D-A95E-CFF5C1606290} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\User\AppData\Roaming\Speckie\bin64\Speckie64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-2-2 628448]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2012-10-9 163608]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-2-15 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-2-15 969016]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 125584]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-10-9 363800]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-11-3 395752]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-2-15 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-2-15 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-2-15 63704]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-10-9 677480]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2012-10-9 2182768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2014-4-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-10 114688]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-9 1255736]
S4 VIAKaraokeService;VIA Karaoke digital mixer Service;C:\Windows\System32\ViakaraokeSrv.exe [2012-10-9 27760]
.
=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2015-02-02 12:25:15   --------   d-----w-   C:\Program Files (x86)\ESET
2015-02-02 11:32:19   75888   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{047DCFE1-1663-4E98-8363-679BF62B2BC9}\offreg.dll
2015-02-02 09:56:13   --------   d-----r-   C:\Users\User\Dpics
2015-02-02 08:04:34   11870360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{047DCFE1-1663-4E98-8363-679BF62B2BC9}\mpengine.dll
2015-02-01 17:41:35   11870360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-25 22:42:35   71344   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-25 22:42:35   701616   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2015-01-22 08:03:48   1188440   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDF69A87-62AC-4FFB-835D-A4477865C345}\gapaengine.dll
.
==================== Find3M ====================
.
2015-02-02 11:31:42   129752   ----a-w-   C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-12-31 11:14:31   298120   ------w-   C:\Windows\System32\MpSigStub.exe
2014-12-19 03:06:55   210432   ----a-w-   C:\Windows\System32\profsvc.dll
2014-12-19 01:46:45   141312   ----a-w-   C:\Windows\System32\drivers\mrxdav.sys
2014-12-13 05:09:01   144384   ----a-w-   C:\Windows\System32\ieUnatt.exe
2014-12-13 03:33:44   115712   ----a-w-   C:\Windows\SysWow64\ieUnatt.exe
2014-12-12 05:35:10   5553592   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2014-12-12 05:31:49   503808   ----a-w-   C:\Windows\System32\srcore.dll
2014-12-12 05:31:49   50176   ----a-w-   C:\Windows\System32\srclient.dll
2014-12-12 05:31:22   296960   ----a-w-   C:\Windows\System32\rstrui.exe
2014-12-12 05:11:44   3971512   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2014-12-12 05:11:43   3916728   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2014-12-12 05:07:44   43008   ----a-w-   C:\Windows\SysWow64\srclient.dll
2014-12-11 17:47:12   52736   ----a-w-   C:\Windows\System32\TSWbPrxy.exe
2014-12-06 04:17:27   303616   ----a-w-   C:\Windows\System32\nlasvc.dll
2014-12-06 03:50:19   52224   ----a-w-   C:\Windows\SysWow64\nlaapi.dll
2014-12-06 03:50:18   156672   ----a-w-   C:\Windows\SysWow64\ncsi.dll
2014-11-22 03:06:23   2724864   ----a-w-   C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11   4096   ----a-w-   C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39   66560   ----a-w-   C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10   580096   ----a-w-   C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54   48640   ----a-w-   C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20   88064   ----a-w-   C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29   114688   ----a-w-   C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51   814080   ----a-w-   C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07   6039552   ----a-w-   C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31   968704   ----a-w-   C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44   2724864   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16   77824   ----a-w-   C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43   501248   ----a-w-   C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17   62464   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32   47616   ----a-w-   C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02   64000   ----a-w-   C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30   620032   ----a-w-   C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10   1359360   ----a-w-   C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58   2125312   ----a-w-   C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04   60416   ----a-w-   C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26   4299264   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21   2358272   ----a-w-   C:\Windows\System32\wininet.dll
2014-11-22 01:22:49   2052096   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57   1155072   ----a-w-   C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20   1888256   ----a-w-   C:\Windows\SysWow64\wininet.dll
2014-11-21 06:14:22   63704   ----a-w-   C:\Windows\System32\drivers\mwac.sys
2014-11-21 06:14:12   93400   ----a-w-   C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-21 06:14:08   25816   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2014-11-19 04:31:16   1217192   ----a-w-   C:\Windows\SysWow64\FM20.DLL
2014-11-11 03:09:06   1424384   ----a-w-   C:\Windows\System32\WindowsCodecs.dll
2014-11-11 03:08:52   241152   ----a-w-   C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48   728064   ----a-w-   C:\Windows\System32\kerberos.dll
2014-11-11 02:44:45   1230336   ----a-w-   C:\Windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44:32   186880   ----a-w-   C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25   550912   ----a-w-   C:\Windows\SysWow64\kerberos.dll
.
============= FINISH: 13:28:38.17 ===============

Corrine · February 02, 2015, 02:14:40 PM

Hi, Mike.

Fast action on your part seeing the change in MBAM settings! Seeing you are "User" on your computer, I gather you created this folder: C:\Users\User\Dpics. If not, please let me know. Otherwise, all looks fine in the logs. Is your computer operating normal?

MikeW · February 02, 2015, 02:29:08 PM

Hi Corrine

Thats not something I recognise nor can I find it with general search

C:\Users\User\Dpics

Corrine · February 02, 2015, 02:50:32 PM

I'm glad I asked. It shows with a creation date of today, although not shown in the MBAM log as having been removed. Let's see what ComboFix shows/does.

Please follow these instructions carefully. Download ComboFix from the following location: Link 1

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, a log will be produced. Please copy C:\ComboFix.txt in your next reply.

MikeW · February 02, 2015, 03:04:59 PM

Thanks Corrine

ComboFix 15-02-02.01 - User 02/02/2015 14:58:23.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8147.6506 [GMT 0:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2015-01-02 to 2015-02-02 )))))))))))))))))))))))))))))))
.
.
2015-02-02 15:00 . 2015-02-02 15:00   --------   d-----w-   c:\users\UpdatusUser\AppData\Local\temp
2015-02-02 15:00 . 2015-02-02 15:00   --------   d-----w-   c:\users\Default\AppData\Local\temp
2015-02-02 14:36 . 2015-02-02 14:36   --------   d-----r-   c:\users\User\Dpics
2015-02-02 12:25 . 2015-02-02 12:25   --------   d-----w-   c:\program files (x86)\ESET
2015-02-02 11:32 . 2015-02-02 11:32   75888   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{047DCFE1-1663-4E98-8363-679BF62B2BC9}\offreg.dll
2015-02-02 08:04 . 2014-12-02 10:26   11870360   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{047DCFE1-1663-4E98-8363-679BF62B2BC9}\mpengine.dll
2015-02-01 17:41 . 2014-12-02 10:26   11870360   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-25 22:42 . 2015-01-25 22:42   71344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-25 22:42 . 2015-01-25 22:42   701616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-22 08:03 . 2014-09-16 16:36   1188440   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FDF69A87-62AC-4FFB-835D-A4477865C345}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-02 11:31 . 2014-02-15 13:12   129752   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-13 22:17 . 2012-10-09 16:04   113365784   ----a-w-   c:\windows\system32\MRT.exe
2014-12-31 11:14 . 2010-11-21 03:27   298120   ------w-   c:\windows\system32\MpSigStub.exe
2014-12-13 05:09 . 2014-12-18 08:27   144384   ----a-w-   c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-18 08:27   115712   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2014-11-27 01:43 . 2014-12-10 08:21   389296   ----a-w-   c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 08:21   25059840   ----a-w-   c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 08:21   2724864   ----a-w-   c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 08:21   4096   ----a-w-   c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 08:21   66560   ----a-w-   c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 08:21   580096   ----a-w-   c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 08:21   48640   ----a-w-   c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 08:21   2885120   ----a-w-   c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 08:21   88064   ----a-w-   c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 08:21   54784   ----a-w-   c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 08:21   34304   ----a-w-   c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 08:21   633856   ----a-w-   c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 08:21   114688   ----a-w-   c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 08:21   814080   ----a-w-   c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 08:21   6039552   ----a-w-   c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 08:21   968704   ----a-w-   c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 08:21   490496   ----a-w-   c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 08:21   2724864   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 08:21   77824   ----a-w-   c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 08:21   199680   ----a-w-   c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 08:21   92160   ----a-w-   c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 08:21   501248   ----a-w-   c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 08:21   62464   ----a-w-   c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 08:21   47616   ----a-w-   c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 08:21   64000   ----a-w-   c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 08:21   316928   ----a-w-   c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 08:21   620032   ----a-w-   c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 08:21   718848   ----a-w-   c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 08:21   800768   ----a-w-   c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 08:21   1359360   ----a-w-   c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 08:21   2125312   ----a-w-   c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 08:21   14412800   ----a-w-   c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 08:21   60416   ----a-w-   c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 08:21   4299264   ----a-w-   c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 08:21   2358272   ----a-w-   c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 08:21   2052096   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 08:21   1155072   ----a-w-   c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 08:21   1548288   ----a-w-   c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 08:21   800768   ----a-w-   c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 08:21   1888256   ----a-w-   c:\windows\SysWow64\wininet.dll
2014-11-21 06:14 . 2014-02-15 13:12   63704   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-11-21 06:14 . 2014-02-15 13:12   93400   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 06:14 . 2014-02-15 13:12   25816   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-11-19 04:31 . 2014-11-19 04:31   1217192   ----a-w-   c:\windows\SysWow64\FM20.DLL
2014-11-11 03:09 . 2014-12-10 08:20   1424384   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2014-11-11 03:08 . 2014-11-19 08:32   241152   ----a-w-   c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 08:32   728064   ----a-w-   c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-12-10 08:20   1230336   ----a-w-   c:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44 . 2014-11-19 08:32   186880   ----a-w-   c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 08:32   550912   ----a-w-   c:\windows\SysWow64\kerberos.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-02-09 5015040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
R4 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2012-05-22 980920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?scope=web&mkt=en-GB
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F3B6C9A9-E893-441D-A95E-CFF5C1606290}: NameServer = 194.72.9.34,4.2.2.3
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-02 15:01:28
ComboFix-quarantined-files.txt 2015-02-02 15:01
.
Pre-Run: 440,036,782,080 bytes free
Post-Run: 439,866,929,152 bytes free
.
- - End Of File - - BE599CDF740A1D7E4F477A387BC7EFD9
A36C5E4F47E84449FF07ED3517B43A31

Corrine · February 02, 2015, 03:27:02 PM

Thank you. Let's see if ComboFix can remove that folder. I don't like that it is read only and the original creation date shown in the DDS log is prior to the MBAM & ESET scans.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select


Folder::
c:\users\User\Dpics

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

MikeW · February 02, 2015, 03:53:51 PM

Log after Script

ComboFix 15-02-02.01 - User 02/02/2015 15:40:41.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8147.6359 [GMT 0:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2015-01-02 to 2015-02-02 )))))))))))))))))))))))))))))))
.
.
2015-02-02 15:42 . 2015-02-02 15:42   --------   d-----w-   c:\users\UpdatusUser\AppData\Local\temp
2015-02-02 15:42 . 2015-02-02 15:42   --------   d-----w-   c:\users\Default\AppData\Local\temp
2015-02-02 15:03 . 2014-12-02 10:26   11870360   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7CD116D8-2D0A-462F-A64D-BF2A3833CE7C}\mpengine.dll
2015-02-02 14:36 . 2015-02-02 14:36   --------   d-----r-   c:\users\User\Dpics
2015-02-02 12:25 . 2015-02-02 12:25   --------   d-----w-   c:\program files (x86)\ESET
2015-02-01 17:41 . 2014-12-02 10:26   11870360   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-25 22:42 . 2015-01-25 22:42   71344   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-25 22:42 . 2015-01-25 22:42   701616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-22 08:03 . 2014-09-16 16:36   1188440   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FDF69A87-62AC-4FFB-835D-A4477865C345}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-02 11:31 . 2014-02-15 13:12   129752   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-13 22:17 . 2012-10-09 16:04   113365784   ----a-w-   c:\windows\system32\MRT.exe
2014-12-31 11:14 . 2010-11-21 03:27   298120   ------w-   c:\windows\system32\MpSigStub.exe
2014-12-13 05:09 . 2014-12-18 08:27   144384   ----a-w-   c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-18 08:27   115712   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2014-11-27 01:43 . 2014-12-10 08:21   389296   ----a-w-   c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 08:21   25059840   ----a-w-   c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 08:21   2724864   ----a-w-   c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 08:21   4096   ----a-w-   c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 08:21   66560   ----a-w-   c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 08:21   580096   ----a-w-   c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 08:21   48640   ----a-w-   c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 08:21   2885120   ----a-w-   c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 08:21   88064   ----a-w-   c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 08:21   54784   ----a-w-   c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 08:21   34304   ----a-w-   c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 08:21   633856   ----a-w-   c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 08:21   114688   ----a-w-   c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 08:21   814080   ----a-w-   c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 08:21   6039552   ----a-w-   c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 08:21   968704   ----a-w-   c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 08:21   490496   ----a-w-   c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 08:21   2724864   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 08:21   77824   ----a-w-   c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 08:21   199680   ----a-w-   c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 08:21   92160   ----a-w-   c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 08:21   501248   ----a-w-   c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 08:21   62464   ----a-w-   c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 08:21   47616   ----a-w-   c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 08:21   64000   ----a-w-   c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 08:21   316928   ----a-w-   c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 08:21   620032   ----a-w-   c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 08:21   718848   ----a-w-   c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 08:21   800768   ----a-w-   c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 08:21   1359360   ----a-w-   c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 08:21   2125312   ----a-w-   c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 08:21   14412800   ----a-w-   c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 08:21   60416   ----a-w-   c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 08:21   4299264   ----a-w-   c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 08:21   2358272   ----a-w-   c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 08:21   2052096   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 08:21   1155072   ----a-w-   c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 08:21   1548288   ----a-w-   c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 08:21   800768   ----a-w-   c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 08:21   1888256   ----a-w-   c:\windows\SysWow64\wininet.dll
2014-11-21 06:14 . 2014-02-15 13:12   63704   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-11-21 06:14 . 2014-02-15 13:12   93400   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 06:14 . 2014-02-15 13:12   25816   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-11-19 04:31 . 2014-11-19 04:31   1217192   ----a-w-   c:\windows\SysWow64\FM20.DLL
2014-11-11 03:09 . 2014-12-10 08:20   1424384   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2014-11-11 03:08 . 2014-11-19 08:32   241152   ----a-w-   c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 08:32   728064   ----a-w-   c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-12-10 08:20   1230336   ----a-w-   c:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44 . 2014-11-19 08:32   186880   ----a-w-   c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 08:32   550912   ----a-w-   c:\windows\SysWow64\kerberos.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-02-09 5015040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
R4 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2012-05-22 980920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?scope=web&mkt=en-GB
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F3B6C9A9-E893-441D-A95E-CFF5C1606290}: NameServer = 194.72.9.34,4.2.2.3
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-02 15:43:23
ComboFix-quarantined-files.txt 2015-02-02 15:43
ComboFix2.txt 2015-02-02 15:01
.
Pre-Run: 439,928,520,704 bytes free
Post-Run: 439,497,588,736 bytes free
.
- - End Of File - - 3BC1E2C89FB1E27E62388B61CC9987EF
A36C5E4F47E84449FF07ED3517B43A31

MikeW · February 02, 2015, 04:11:27 PM

DDS

still shows it

=============== File Associations ===============
.
FileExt: .reg: regfile=regedit.exe "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2015-02-02 15:46:54   11870360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4CFACB7A-8419-4FA3-9491-DD03ECB8D596}\mpengine.dll
2015-02-02 15:43:27   --------   d-sh--w-   C:\$RECYCLE.BIN
2015-02-02 15:40:02   --------   d-----w-   C:\ComboFix
2015-02-02 14:57:35   98816   ----a-w-   C:\Windows\sed.exe
2015-02-02 14:57:35   256000   ----a-w-   C:\Windows\PEV.exe
2015-02-02 14:57:35   208896   ----a-w-   C:\Windows\MBR.exe
2015-02-02 14:36:31   --------   d-----r-   C:\Users\User\Dpics
2015-02-02 12:25:15   --------   d-----w-   C:\Program Files (x86)\ESET
2015-02-01 17:41:35   11870360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-25 22:42:35   71344   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-25 22:42:35   701616   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2015-01-22 08:03:48   1188440   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FDF69A87-62AC-4FFB-835D-A4477865C345}\gapaengine.dll
.
==================== Find3M ====================

Corrine · February 02, 2015, 04:37:56 PM

Let's do a double-check to see if the folder still exists since all that is showing is the creation date/time.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code Select

:dir
C:\Users\User\Dpics

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MikeW · February 02, 2015, 04:49:50 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 16:47 on 02/02/2015 by User
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\Users\User\Dpics - Parameters: "(none)"

---Files---
desktop.ini --ahs-- 504 bytes [14:36 02/02/2015] [14:36 02/02/2015]

---Folders---
None found.

-= EOF =-

Corrine · February 02, 2015, 04:52:37 PM

Good! That makes me feel much better. :)

If everything seems back to normal, let's take care of removing the tools used. If not, let me know in your next reply.

Please download Delfix from here.

Ensure the following boxes are checked:

Remove disinfection tools
Create registry backup
Purge system restore
Click Run

MikeW · February 02, 2015, 05:00:37 PM

Many thanks Corrine.
Once again a second pair of eyes makes all the difference
I feel much happier now after your help. :Hammys pint:

Mike

winchester73 · February 02, 2015, 05:26:05 PM

Was there anything to upload to Virus Total?