also @ TechSpot: OCZ Vertex 450 SSD Review

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Svchost.exe (Trojan.agent) Malwarebytes cannot remove/system crashing

Discussion in 'Virus and Malware Removal' started by mmcook, Apr 12, 2012.

Post New Reply

Page 2 of 7

Broni Malware Annihilator Posts: 39,349 +175
Good

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Apr 13, 2012

#21
mmcook Newcomer, in training Posts: 75

I can't download anything on my computer in safe mode right now. Are you saying to download it onto the USB drive from my working computer and transfer the Combofix program to the infected computer and run it in safe mode there? Can I do that?

mmcook, Apr 13, 2012

#22
Broni Malware Annihilator Posts: 39,349 +175

There is a good chance that normal mode may work just fine now.
Try it first.

If not, yes, "download it onto the USB drive from my working computer and transfer the Combofix program to the infected computer and run it in safe mode there"

Broni, Apr 13, 2012

#23
mmcook Newcomer, in training Posts: 75

Normal mode does not work. When I booted it almost immediately gave me the same multiple "System Message Write Fault Errors" that I described before. It was at least a dozen pop ups. I clicked continue through all of them. This was followed by a message saying "System Error Hard Disk Failure. Windows has lost access to the system partition during I/O process. This may also lead to potential loss of data. Highly recommended to run complete HDD scan to prevent lost* of files, applications and documents.

* it was misspelled like that in the message - "lost" instead of "loss"

My choices were to Scan and Repair or Scan Later (reboot required). I just X'd out of the box and the computer immediately rebooted itself. I have now shut it down.

Do you know what is causing this? Is it somthing you think Combofix can fix?

Would trying to run malwarebytes from safe mode be a bad idea right now?

Thank you so much for your help with all this.

mmcook, Apr 13, 2012

#24
Broni Malware Annihilator Posts: 39,349 +175

"download it onto the USB drive from my working computer and transfer the Combofix program to the infected computer and run it in safe mode there"

Broni, Apr 13, 2012

#25

mmcook Newcomer, in training Posts: 75

Combofix is detecting our anti-virus symantec software and telling me to disable it, but I can't find it to disable it in safe mode. Any advise on how to disable this from safe mode?

mmcook, Apr 14, 2012

#26

Broni Malware Annihilator Posts: 39,349 +175

Disregard that warning.

Broni, Apr 14, 2012

#27
mmcook Newcomer, in training Posts: 75

Got it:

ComboFix 12-04-13.01 - mmcook 04/14/2012 0:57.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.3359 [GMT -4:00]
Running from: c:\users\mmcook\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\dcafecfdct.exe
c:\programdata\NaDwLaiRnW.exe
c:\users\mmcook\AppData\Local\Microsoft\MicrosoftData
c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}
c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\chrome.manifest
c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\chrome\xulcache.jar
c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\defaults\preferences\xulcache.js
c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\install.rdf
c:\users\mmcook\AppData\Roaming\Obfo\doenqia.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\svchost.exe
c:\windows\system32\consrv.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Meeples\AppData\Local\temp
2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Andrew & Connor\AppData\Local\temp
2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-04-14 00:39 . 2012-04-14 00:39 747416 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-14 00:26 . 2012-04-14 00:26 -------- d-----w- c:\users\mmcook\transfer
2012-04-13 22:26 . 2012-04-13 22:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-13 22:24 . 2012-04-13 22:21 323072 ----a-w- c:\programdata\QkqnRvQCEE.exe
2012-04-13 01:22 . 2012-04-14 05:02 -------- d-----w- c:\users\mmcook\AppData\Roaming\Obfo
2012-04-13 01:22 . 2012-04-13 01:23 -------- d-----w- c:\users\mmcook\AppData\Roaming\Maac
2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe
2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe
2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe
2012-04-12 03:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 03:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 03:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 03:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 03:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-12 03:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 03:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-09 23:42 . 2012-04-09 23:42 -------- d--h--w- c:\program files (x86)\Microsoft Security Client
2012-04-09 23:42 . 2012-04-11 05:02 -------- d--h--w- c:\program files\Microsoft Security Client
2012-03-23 23:44 . 2012-04-11 05:35 -------- d--h--w- c:\users\Meeples\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2009-12-06 18:43 24904 ---ha-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 06:38 . 2012-03-14 07:16 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 07:16 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 07:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 07:16 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 07:17 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 07:17 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-04 16:25 . 2011-06-22 23:15 414368 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-03 04:34 . 2012-03-14 07:17 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 07:16 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 07:16 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 07:16 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\11\ISUSPM.exe" [2008-09-26 210208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"cwcptray"="c:\program files (x86)\ContentWatch\Internet Protection\cwtray.exe" [2010-12-11 353600]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-17 976832]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"QkqnRvQCEE.exe"="c:\programdata\QkqnRvQCEE.exe" [2012-04-13 323072]
.
c:\users\mmcook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-12 113664]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
kofatu.exe [2012-4-12 148992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R4 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-05-01 181544]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
S2 CwAltaService20;ContentWatch;c:\program files (x86)\ContentWatch\Internet Protection\cwsvc.exe [2010-12-11 2100544]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
"combofix"="c:\combofix\CF31561.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\cwalsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{058EBD97-84C5-452A-9433-C54A9896D2Aa} - c:\windows\SysWow64\wscui32.dll
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
Wow6432Node-HKCU-Run-{D6D291BC-AD64-8943-4893-465406344EC6} - c:\users\mmcook\AppData\Roaming\Obfo\doenqia.exe
Wow6432Node-HKCU-Run-dcafecfdct - c:\programdata\dcafecfdct.exe
Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
Wow6432Node-HKLM-Run-cpQeUCMUEXwA.exe - c:\programdata\cpQeUCMUEXwA.exe
Wow6432Node-HKLM-Run-NaDwLaiRnW.exe - c:\programdata\NaDwLaiRnW.exe
Wow6432Node-HKLM-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
Wow6432Node-HKU-Default-Run-AppsUpdate - c:\users\mmcook\AppData\Local\Apps\AppsUpdate\Appsupdt32.exe
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
Wow6432Node-HKU-Default-Run-dcafecfdct - c:\programdata\dcafecfdct.exe
SafeBoot-Symantec Antvirus
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2341466117-3050677054-3231783024-1000\Software\SecuROM\License information*]
"datasecu"=hex:fe,15,ac,b2,1a,3b,31,5c,89,b0,cd,56,20,81,76,1c,ad,8a,cf,7f,08,
bc,6f,c4,b0,02,41,5e,0f,84,04,85,df,fe,c9,ac,80,13,0a,f6,13,7e,74,30,9b,15,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-14 01:20:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-14 05:20
.
Pre-Run: 475,362,340,864 bytes free
Post-Run: 477,203,619,840 bytes free
.
- - End Of File - - 3B15F58850F84D98DE26647069B75EDE

mmcook, Apr 14, 2012

#28
Broni Malware Annihilator Posts: 39,349 +175
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

DiirLook:: c:\users\mmcook\AppData\Roaming\Obfo c:\users\mmcook\AppData\Roaming\Maac File:: c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000000 ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Broni, Apr 14, 2012

#29
mmcook Newcomer, in training Posts: 75

Computer can still not boot in normal mode without immediately crashing. I get the same series of error messages I posted before. Ran again in Safe Mode:

ComboFix 12-04-13.01 - mmcook 04/14/2012 13:41:58.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.3427 [GMT -4:00]
Running from: c:\users\mmcook\Desktop\ComboFix.exe
Command switches used :: c:\users\mmcook\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe"
"c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe
c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Meeples\AppData\Local\temp
2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Andrew & Connor\AppData\Local\temp
2012-04-14 00:39 . 2012-04-14 00:39 747416 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-14 00:26 . 2012-04-14 00:26 -------- d-----w- c:\users\mmcook\transfer
2012-04-13 22:26 . 2012-04-13 22:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-13 22:24 . 2012-04-13 22:21 323072 ----a-w- c:\programdata\QkqnRvQCEE.exe
2012-04-13 01:22 . 2012-04-14 05:02 -------- d-----w- c:\users\mmcook\AppData\Roaming\Obfo
2012-04-13 01:22 . 2012-04-13 01:23 -------- d-----w- c:\users\mmcook\AppData\Roaming\Maac
2012-04-12 03:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 03:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 03:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 03:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 03:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-12 03:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 03:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-09 23:42 . 2012-04-09 23:42 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-04-09 23:42 . 2012-04-11 05:02 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-23 23:44 . 2012-04-11 05:35 -------- d-----w- c:\users\Meeples\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2009-12-06 18:43 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 06:38 . 2012-03-14 07:16 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 07:16 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 07:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 07:16 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 07:17 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 07:17 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-04 16:25 . 2011-06-22 23:15 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-03 04:34 . 2012-03-14 07:17 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 07:16 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 07:16 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 07:16 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-14_05.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-06 15:30 . 2012-04-14 05:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-06 15:30 . 2012-04-11 03:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-04-11 03:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-14 05:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:46 . 2012-04-07 10:54 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-04-14 17:13 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-04-14 17:28 . 2012-04-14 17:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-14 05:04 . 2012-04-14 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-14 17:28 . 2012-04-14 17:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-14 05:04 . 2012-04-14 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-04-08 04:09 420488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-14 17:13 420488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{058EBD97-84C5-452A-9433-C54A9896D2Aa}]
c:\windows\SysWow64\wscui32.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\11\ISUSPM.exe" [2008-09-26 210208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"cwcptray"="c:\program files (x86)\ContentWatch\Internet Protection\cwtray.exe" [2010-12-11 353600]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-17 976832]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"QkqnRvQCEE.exe"="c:\programdata\QkqnRvQCEE.exe" [2012-04-13 323072]
.
c:\users\mmcook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-12 113664]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 CwAltaService20;ContentWatch;c:\program files (x86)\ContentWatch\Internet Protection\cwsvc.exe [2010-12-11 2100544]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R4 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-05-01 181544]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\cwalsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2341466117-3050677054-3231783024-1000\Software\SecuROM\License information*]
"datasecu"=hex:fe,15,ac,b2,1a,3b,31,5c,89,b0,cd,56,20,81,76,1c,ad,8a,cf,7f,08,
bc,6f,c4,b0,02,41,5e,0f,84,04,85,df,fe,c9,ac,80,13,0a,f6,13,7e,74,30,9b,15,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-14 13:51:12
ComboFix-quarantined-files.txt 2012-04-14 17:51
ComboFix2.txt 2012-04-14 05:20
.
Pre-Run: 477,251,506,176 bytes free
Post-Run: 477,038,698,496 bytes free
.
- - End Of File - - 84362E710BE311238CDC5FABB8AD5C7F

mmcook, Apr 14, 2012

#30
Broni Malware Annihilator Posts: 39,349 +175

What are the error messages when you boot to normal mode/

Broni, Apr 15, 2012

#31
mmcook Newcomer, in training Posts: 75

I am getting three different types of error messages right now.

(1) On Boot I get multiple (like 20) pop-ups that say "System Message Write Fault Error" "A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception error when using a reference to an invalid system mempry access." I am then given the choices of Cancel/Try Again/Continue. I have typically clicked cancel or continue through these pop-ups.

(2) That is immediately followed by a pop up that says "System Error Hard Disk Failure. Windows has lost access to the system partition during I/O process. This may also lead to potential loss of data. Highly recommended to run complete HDD scan to prevent lost of files, applications and documents.

(The message has a spelling error in it when it says recommended to run the scan to prevent "lost" of data instead of "Loss".)

I am given the choices of Scan and Repair or Scan Later (reboot required). I have always just closed this box without selecting anything and then the computer reboots itself.

(3) I also get another error message occasionally when running in Safe Mode which says: "There is a problem with your ContentWatch Installation. Please try to uninstall and reinstall the program. If the problem persists contact customer support."

Those are what I remember. I haven't tried to reboot into normal mode since the last run of Combofix.

mmcook, Apr 15, 2012

#32
Broni Malware Annihilator Posts: 39,349 +175

Give me new aswMBR log.

Broni, Apr 15, 2012

#33
mmcook Newcomer, in training Posts: 75

Because I have no internet in Safe Mode it was unable to download the lastest virus definitions:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-15 13:49:01
-----------------------------
13:49:01.584 OS Version: Windows x64 6.1.7601 Service Pack 1
13:49:01.584 Number of processors: 2 586 0x170A
13:49:01.584 ComputerName: COOK-HOME UserName: mmcook
13:49:02.505 Initialize success
13:53:36.706 AVAST engine download error: 0
13:53:39.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:53:39.046 Disk 0 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610480MB BusType: 3
13:53:39.062 Disk 0 MBR read successfully
13:53:39.062 Disk 0 MBR scan
13:53:39.062 Disk 0 Windows 7 default MBR code
13:53:39.077 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
13:53:39.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 7918 MB offset 112640
13:53:39.093 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 602506 MB offset 16328704
13:53:39.109 Disk 0 scanning C:\Windows\system32\drivers
13:53:44.288 Service scanning
13:53:57.844 Modules scanning
13:53:57.844 Disk 0 trace - called modules:
13:53:57.860 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
13:53:57.860 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048b0060]
13:53:57.875 3 CLASSPNP.SYS[fffff880019b543f] -> nt!IofCallDriver -> [0xfffffa8004370520]
13:53:57.875 5 ACPI.sys[fffff88000eee7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004372060]
13:53:57.875 Scan finished successfully
13:56:07.059 Disk 0 MBR has been saved successfully to "C:\Users\mmcook\Desktop\MBR.dat"
13:56:07.059 The log file has been saved successfully to "C:\Users\mmcook\Desktop\aswMBR.txt"

mmcook, Apr 15, 2012

#34
Broni Malware Annihilator Posts: 39,349 +175

Are you able to boot to Safe Mode with Networking?

Broni, Apr 15, 2012

#35
mmcook Newcomer, in training Posts: 75

I do, but the internet still doesn't work....

mmcook, Apr 15, 2012

#36
Broni Malware Annihilator Posts: 39,349 +175
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
Broni, Apr 15, 2012

#37
mmcook Newcomer, in training Posts: 75

Farbar Service Scanner Version: 01-03-2012
Ran by mmcook (administrator) on 15-04-2012 at 16:08:20
Running from "C:\Users\mmcook\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

mmcook, Apr 15, 2012

#38
Broni Malware Annihilator Posts: 39,349 +175

According to the above log your internet connection should be working fine.
What happens in Safe Mode with Networking?
What are the indications that internet connection doesn't work?

Broni, Apr 15, 2012

#39
mmcook Newcomer, in training Posts: 75

When I try to use Internet Explorer I get the message "Internet Explorer Cannot Display the Webpage." I am given the option to "Diagnose Connection Problems," but if I do that it tells me that diagnostics cannot be run in Safe Mode.

Edit: and I am in Safe Mode with Networking now.

Edit: I tried to load it a different way, and it attempts to load my homepage (yahoo) but never loads it. The "loading" symbol just circles and circles endlessly and never finishes.

mmcook, Apr 15, 2012

#40

Page 2 of 7

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.