Win64:Dropper-Gen[Drp]

I tried opening Windows Explorer and got this error:

C:\Windows\explorer.exe

Operation did not complete successfully because the file contains a virus

So I did a scan with Avast and the results showed:

File name:C:\Windows\explorer.exe Severity: High Status: Threat:Win64:Dropper-Gen[Drp]

The recommmended action was move to chest but i got an error: specified file is read only (6009)

No idea what to do at this point, so looking for help. Thanks.

Hi there, I will go right in with the big boy first

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

My computer seems to be running fine; I am now able to open Windows Explorer.

ComboFix 14-03-05.01 - Jason 03/07/2014 10:16:41.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3959.2193 [GMT -5:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
AV: avast! Antivirus Disabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus Disabled/Updated {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender Enabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

  • Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\CFLog
    c:\cflog\CrashLog_20130724.txt
    C:\END
    c:\users\Jason\AppData\Local\assembly\tmp
    c:\users\Jason\videos\Start Button.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-02-07 to 2014-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2014-03-07 15:27 . 2014-03-07 15:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-03-07 14:41 . 2014-03-07 14:41 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates{ACA96C98-71CD-4C1A-A292-844AFC899BF2}\offreg.dll
    2014-03-07 07:26 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates{ACA96C98-71CD-4C1A-A292-844AFC899BF2}\mpengine.dll
    2014-03-02 19:06 . 2014-03-02 19:06 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
    2014-03-02 19:06 . 2014-03-02 19:06 -------- d-----w- c:\program files\iTunes
    2014-03-02 19:06 . 2014-03-02 19:06 -------- d-----w- c:\program files (x86)\iTunes
    2014-03-02 19:06 . 2014-03-02 19:06 -------- d-----w- c:\program files\iPod
    2014-02-26 06:34 . 2014-02-26 06:34 -------- d-----w- c:\windows\Migration
    2014-02-14 18:02 . 2014-02-14 18:02 -------- d-----w- c:\program files (x86)\Pokemon Showdown
    2014-02-12 20:43 . 2013-12-21 09:53 548864 ----a-w- c:\windows\system32\vbscript.dll
    2014-02-12 20:43 . 2013-12-21 08:56 454656 ----a-w- c:\windows\SysWow64\vbscript.dll
    2014-02-12 17:53 . 2013-12-06 02:30 2048 ----a-w- c:\windows\system32\msxml3r.dll
    2014-02-12 17:52 . 2013-12-24 23:09 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
    2014-02-12 17:52 . 2013-12-24 22:48 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
    2014-02-12 17:52 . 2013-11-22 22:48 3928064 ----a-w- c:\windows\system32\d2d1.dll
    2014-02-12 17:52 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-02-21 04:19 . 2012-03-29 05:49 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-02-21 04:19 . 2011-05-17 11:46 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-02-15 22:55 . 2011-01-03 22:13 88567024 ----a-w- c:\windows\system32\MRT.exe
    2013-12-18 11:13 . 2010-12-26 19:38 270496 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    “Akamai NetSession Interface”=“c:\users\Jason\AppData\Local\Akamai\netsession_win.exe” [2013-06-05 4489472]
    “F.lux”=“c:\users\Jason\AppData\Local\FluxSoftware\Flux\flux.exe” [2013-10-15 1013128]
    “DAEMON Tools Lite”=“c:\program files (x86)\DAEMON Tools Lite\DTLite.exe” [2013-08-01 3673696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    “IAStorIcon”=“c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe” [2010-03-04 284696]
    “avast5”=“c:\program files\Alwil Software\Avast5\avastUI.exe” [2013-02-28 4767304]
    “APSDaemon”=“c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe” [2014-02-13 43848]
    “Adobe ARM”=“c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2013-11-21 959904]
    “iTunesHelper”=“c:\program files (x86)\iTunes\iTunesHelper.exe” [2014-02-21 152392]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    “ConsentPromptBehaviorAdmin”= 0 (0x0)
    “ConsentPromptBehaviorUser”= 3 (0x3)
    “EnableLUA”= 0 (0x0)
    “EnableUIADesktopToggle”= 0 (0x0)
    “PromptOnSecureDesktop”= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    “LoadAppInit_DLLs”=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    “aux1”=wdmaud.drv

.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe
R2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys
R2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys
R3 aswVmm;aswVmm;
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys;c:\windows\SYSNATIVE\DRIVERS\motfilt.sys
R3 dump_wmimmc;dump_wmimmc;c:\ignitedgames\WindSlayer2\GameGuard\dump_wmimmc.sys;c:\ignitedgames\WindSlayer2\GameGuard\dump_wmimmc.sys
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys
R3 Gun;Gun;c:\game\SoftnyxGame\GunBoundIS\Gun64.sys;c:\game\SoftnyxGame\GunBoundIS\Gun64.sys
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys;c:\windows\SYSNATIVE\DRIVERS\motccgp.sys
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys;c:\windows\SYSNATIVE\DRIVERS\motccgpfl.sys
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys;c:\windows\SYSNATIVE\DRIVERS\Motousbnet.sys
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys;c:\windows\SYSNATIVE\DRIVERS\motport.sys
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys;c:\windows\SYSNATIVE\DRIVERS\motusbdevice.sys
R3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys
R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys;c:\windows\SYSNATIVE\DRIVERS\nlndis.sys
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des;c:\windows\SYSNATIVE\GameMon.des
R3 PSSDK42;PSSDK42;c:\windows\system32\Drivers\pssdk42.sys;c:\windows\SYSNATIVE\Drivers\pssdk42.sys
R3 PSSDKLBF;PSSDKLBF;c:\windows\system32\Drivers\pssdklbf.sys;c:\windows\SYSNATIVE\Drivers\pssdklbf.sys
R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys;c:\aeriagames\EdenEternal\sjcs64.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 uqk;uqk;c:\koramgame\STOnline\avital\wyqku64.sys;c:\koramgame\STOnline\avital\wyqku64.sys
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys
R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys;c:\aeriagames\EdenEternal\avital\ussjcs64.sys
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys;c:\windows\SYSNATIVE\Drivers\VMUVC.sys
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys;c:\windows\SYSNATIVE\drivers\vvftUVC.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys
R3 X6va003;X6va003;c:\users\Jason\AppData\Local\Temp\003FCB6.tmp;c:\users\Jason\AppData\Local\Temp\003FCB6.tmp
R3 X6va005;X6va005;c:\users\Jason\AppData\Local\Temp\00530FF.tmp;c:\users\Jason\AppData\Local\Temp\00530FF.tmp
R3 X6va006;X6va006;c:\users\Jason\AppData\Local\Temp\006C49D.tmp;c:\users\Jason\AppData\Local\Temp\006C49D.tmp
R3 X6va009;X6va009;c:\windows\SysWOW64\Drivers\X6va009;c:\windows\SysWOW64\Drivers\X6va009
R3 X6va012;X6va012;c:\windows\SysWOW64\Drivers\X6va012;c:\windows\SysWOW64\Drivers\X6va012
R3 X6va013;X6va013;c:\windows\SysWOW64\Drivers\X6va013;c:\windows\SysWOW64\Drivers\X6va013
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe
S0 aswRvrt;aswRvrt;
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys
S0 sptd;sptd;c:\windows\SystemRoot\System32\Drivers\sptd.sys;c:\windows\SystemRoot\System32\Drivers\sptd.sys
S1 aswSnx;aswSnx;
S1 aswSP;aswSP;
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys;c:\windows\SYSNATIVE\DRIVERS\tmlwf.sys
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe
S2 aswFsBlk;aswFsBlk;
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe;c:\program files\Broadcom\BPowMon\BPowMon.exe
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\tmwfp.sys
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys
.
.
— Other Services/Drivers In Memory —
.
NewlyCreated - 38054838
NewlyCreated - 49052150
Deregistered - 38054838
Deregistered - 49052150
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the ‘Scheduled Tasks’ folder
.
2014-03-07 c:\windows\Tasks\Adobe Flash Player Updater.job

  • c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 04:19]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @=“{472083B0-C522-11CF-8763-00608CC02F24}”
    [HKEY_CLASSES_ROOT\CLSID{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-02-28 08:35 133840 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=hp&installDate=19/10/2013
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = 127.0.0.1:9421;192.168..;;*.local
    uSearchAssistant = hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&q={searchTerms}&installDate=19/10/2013
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces{1A760F14-656D-40EA-B5DC-06D0D10AB9E0}: NameServer = 192.168.0.1,192.168.2.1
    FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\z2o2e9yv.default
    FF - prefs.js: browser.search.defaulturl - hxxp://websearch.soft-quick.info/?l=1&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://google.ca/
    FF - prefs.js: keyword.URL - hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=CA&userid=ce917bfa-2d26-d2b1-b4f3-bd2e4720613a&searchtype=ds&installDate=19/10/2013&q=
    .
        • ORPHANS REMOVED - - - -
          .
          Toolbar-Locked - (no file)
          Wow6432Node-HKCU-Run-LoL Summoner Information - c:\program files (x86)\LSI\LoLSummonerInfo.exe
          HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
          Toolbar-Locked - (no file)
          WebBrowser-{7473B6BD-4691-4744-A82B-7854EB3D70B6} - (no file)
          AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
          .
          .
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
          “ServiceDll”=“c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
          “ImagePath”=“c:\windows\system32\GameMon.des -service”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va003]
          “ImagePath”=“??\c:\users\Jason\AppData\Local\Temp\003FCB6.tmp”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
          “ImagePath”=“??\c:\users\Jason\AppData\Local\Temp\00530FF.tmp”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va006]
          “ImagePath”=“??\c:\users\Jason\AppData\Local\Temp\006C49D.tmp”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va009]
          “ImagePath”=“??\c:\windows\SysWOW64\Drivers\X6va009”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va012]
          “ImagePath”=“??\c:\windows\SysWOW64\Drivers\X6va012”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va013]
          “ImagePath”=“??\c:\windows\SysWOW64\Drivers\X6va013”
          .
          --------------------- LOCKED REGISTRY KEYS ---------------------
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @=“FlashBroker”
          “LocalizedString”=“@c:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_70_ActiveX.exe,-101”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
          “Enabled”=dword:00000001
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
          @=“c:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_70_ActiveX.exe”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
          @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @=“IFlashBroker5”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
          @=“{00020424-0000-0000-C000-000000000046}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
          @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
          “Version”=“1.0”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @=“FlashBroker”
          “LocalizedString”=“@c:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_70_ActiveX.exe,-101”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
          “Enabled”=dword:00000001
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
          @=“c:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_70_ActiveX.exe”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
          @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}]
          @Denied: (A 2) (Everyone)
          @=“Shockwave Flash Object”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
          @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_12_0_0_70.ocx”
          “ThreadingModel”=“Apartment”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
          @=“0”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
          @=“ShockwaveFlash.ShockwaveFlash.12”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
          @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_12_0_0_70.ocx, 1”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
          @=“{D27CDB6B-AE6D-11cf-96B8-444553540000}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
          @=“1.0”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
          @=“ShockwaveFlash.ShockwaveFlash”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}]
          @Denied: (A 2) (Everyone)
          @=“Macromedia Flash Factory Object”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
          @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_12_0_0_70.ocx”
          “ThreadingModel”=“Apartment”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
          @=“FlashFactory.FlashFactory.1”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
          @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_12_0_0_70.ocx, 1”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
          @=“{D27CDB6B-AE6D-11cf-96B8-444553540000}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
          @=“1.0”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
          @=“FlashFactory.FlashFactory”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
          @Denied: (A 2) (Everyone)
          @=“IFlashBroker5”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
          @=“{00020424-0000-0000-C000-000000000046}”
          .
          [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
          @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
          “Version”=“1.0”
          .
          [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
          @Denied: (Full) (Everyone)
          .
          Completion time: 2014-03-07 10:31:25
          ComboFix-quarantined-files.txt 2014-03-07 15:31
          .
          Pre-Run: 144,267,874,304 bytes free
          Post-Run: 144,275,374,080 bytes free
          .
    • End Of File - - F851C2A704D7777FECF3680DDFC212AF

You can attach the log, it will make it easier

OK looking at that I will need to run OTL and AdwCleaner to clear some ad ware

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

After the reboot following the AdwCleaner scan I have had trouble connecting to the internet; not sure if this is related.
I am replying from another computer using a wireless connection but am unable to connect using my computer directly connected to the router.

The log is attached, should i go ahead and run the OTL scan as well?

Reboot the computer and if you are still unable to connect then run this small OTL fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset /c
netsh advfirewall reset /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Unfortunately, I am still unable to connect even after the fix.

Attached are the logs of the fix and the quick scan, respectively.

I am also having this problem, and this only started occurring today. I have a feeling it’s a false positive from Avast’s latest virus definition update. Here is the file on virustotal https://www.virustotal.com/en/file/c1a580448bc33d89399370c506661a46416ed983a3e5a5433affb1db5e28940f/analysis/1394214390/

When you try to get online what error does windows give you

Download and run the trendmicro uninstaller from here http://esupport.trendmicro.com/solution/en-us/1037161.aspx

If it is a false positive, then I am not getting it

I’m running a 64bit version of Windows 7 Ultimate. Virus definition 140307-0
EDIT: well it (the explorer.exe I have) probably doesn’t actually depend on what version of windows 7 (other than 32/64bit) I’m running does it? Hmm…

When I open my browser I get: Server not found

The network and sharing centre says: Unidentified network, no internet access

I ran the trendmicro uninstaller but that did not fix the problem.

Also got alert from Avast about this, ran all the suggested fixes and checked with Virustotal.
Seems like false positive. https://www.virustotal.com/fi/file/868efdba6e8e51bbdc99a45bbdfd2fccfa16b5e4851d86e905cf3cd0e89b602d/analysis/1394221096/

EDIT: definitions are 140307-1 (on wife’s laptop 140307-0 and no virus detected)

Interesting to see it affect some of us and not others. I bet if you checked your wife’s explorer.exe, it would be different from the one on your computer. I have whitelisted explorer.exe for myself for now.

Looking at the replies, should i system restore to before the scans I’ve done?

The computer I’m using atm is very old and slow, so I kinda need to get back to my usual computer.

well unfortunately for you I think you have other issues other than the false positive so…

Yes system restore to the point prior to the AdwCleaner run and we will do a manual removal instead

Combofix should have created a restore point after it finished