On occasions, including now, the Comodo Internet Security window (which has "Secure" displayed when everything is activated, but is active upon typing in "Comodo Internet Security" in "Start" - "Search") and the bottom right ">" (preventing access to other icons) are nowhere in sight since I used Combofix. I'm not sure how to reactive them for display and access, but here is a quick note prior to the results of Combofix:
While monitoring Combofix, a window came up stating "PEV.exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available".
Underneath this was "Close program". Windows did not automatically close the program. I initially waited while Combofix was running, but as nothing was happening, I had to manually close the program. NB: This did not disrupt Combofix in any way, it allowed Combofix to continue its scan and later log.
As well as this, Comodo's alert came up stating "PV.3XE" is an unrecognized file", which was then Sandboxed as "Partially Limited".
Here is the Combofix log:
ComboFix 13-12-04.04 - David 05/12/2013 20:31:03.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.844 [GMT 0:00]
Running from: c:\users\David\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1375804039.1544.bin
c:\programdata\1375804039.1568.bin
c:\programdata\1375804039.1956.bin
c:\programdata\1375804039.2160.bin
c:\programdata\1375804039.3004.bin
c:\programdata\1375804039.3296.bin
c:\programdata\1375804039.3336.bin
c:\programdata\1375804039.3920.bin
c:\programdata\1375804039.456.bin
c:\programdata\1375804039.528.bin
c:\programdata\1375804322.bdinstall.bin
c:\programdata\1376056372.bdinstall.bin
.
.
((((((((((((((((((((((((( Files Created from 2013-11-05 to 2013-12-05 )))))))))))))))))))))))))))))))
.
.
2013-12-05 19:36 . 2013-12-05 19:53 75992 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-04 19:04 . 2013-12-04 19:04 -------- d-----w- c:\users\David\AppData\Local\Nero_AG
2013-12-03 19:35 . 2013-12-03 21:07 -------- d-----w- c:\program files\Nero
2013-11-29 10:52 . 2012-10-17 04:04 580712 ------w- c:\windows\system32\HPDiscoPMB111.dll
2013-11-28 18:31 . 2013-11-28 18:31 -------- d-----w- c:\program files\HP Photo Creations
2013-11-28 18:31 . 2013-11-28 18:31 -------- d-----w- c:\programdata\Visan
2013-11-28 18:31 . 2013-11-28 18:31 -------- d-----w- c:\programdata\HP Photo Creations
2013-11-28 18:24 . 2013-11-29 10:54 -------- d-----w- c:\users\David\AppData\Local\HP
2013-11-26 07:58 . 2013-11-26 07:58 -------- d-----w- c:\programdata\McAfee
2013-11-13 11:54 . 2013-10-13 10:49 149744 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-11-13 11:54 . 2013-10-13 09:33 768512 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2013-11-13 11:54 . 2013-10-13 09:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-11-13 11:54 . 2013-10-13 09:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-11-13 09:10 . 2013-10-03 12:45 297984 ----a-w- c:\windows\system32\gdi32.dll
2013-11-13 09:10 . 2013-10-03 12:45 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-11-13 09:09 . 2013-10-11 02:08 444928 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-11-13 09:09 . 2013-10-11 02:07 596480 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-11-07 15:53 . 2013-11-07 15:53 -------- d-----w- c:\program files\iPod
2013-11-07 15:53 . 2013-11-07 15:54 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-11-07 15:53 . 2013-11-07 15:54 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-02 08:41 . 2012-04-09 06:43 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-02 08:41 . 2011-05-17 06:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-14 11:38 . 2013-06-18 15:15 584496 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-11-14 11:38 . 2013-06-18 15:15 36000 ----a-w- c:\windows\system32\cmdcsr.dll
2013-09-24 10:54 . 2013-06-18 15:16 85464 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-09-24 10:54 . 2013-06-18 15:15 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-09-24 10:54 . 2013-06-18 15:15 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-09-24 10:53 . 2013-06-18 15:15 354240 ----a-w- c:\windows\system32\guard32.dll
2013-09-24 10:53 . 2013-06-18 15:15 280792 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-09-24 10:53 . 2013-06-18 15:15 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Radio Downloader"="c:\program files\Radio Downloader\Radio Downloader.exe" [2012-11-16 529888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-29 6144000]
"diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2008-07-29 557149]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-02 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 154136]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2009-08-21 878080]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-11-11 1576152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-10 958576]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-08-27 295512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-02 152392]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"NBAgent"="c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" [2009-09-01 1086760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
backupExtension=.Startup
backup=c:\windows\pss\BBC iPlayer Desktop.lnk.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-10-28 12:18 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-11-02 00:29 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 02:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-07-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 08:41]
.
2013-12-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-02-01 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com?fr=fp-comodo
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A4BCBEB3-1FF3-4CB6-878B-E568516CAE41}: NameServer = 156.154.70.22,156.154.71.22
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-12-05 20:40
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:30,35,8b,dc,2d,26,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-12-05 20:43:51
ComboFix-quarantined-files.txt 2013-12-05 20:43
.
Pre-Run: 87,634,886,656 bytes free
Post-Run: 87,588,446,208 bytes free
.
- - End Of File - - DF761D780DAD53113C9D5A17FC7508CA
5C616939100B85E558DA92B899A0FC36