TechSpot

Svchost.exe (Trojan.agent) Malwarebytes cannot remove/system crashing

Solved
By mmcook
Apr 12, 2012
  1. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Combofix is detecting our anti-virus symantec software and telling me to disable it, but I can't find it to disable it in safe mode. Any advise on how to disable this from safe mode?
  2. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Disregard that warning.
  3. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Got it:

    ComboFix 12-04-13.01 - mmcook 04/14/2012 0:57.1.2 - x64 NETWORK
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.3359 [GMT -4:00]
    Running from: c:\users\mmcook\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\dcafecfdct.exe
    c:\programdata\NaDwLaiRnW.exe
    c:\users\mmcook\AppData\Local\Microsoft\MicrosoftData
    c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}
    c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\chrome.manifest
    c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\chrome\xulcache.jar
    c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\defaults\preferences\xulcache.js
    c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\extensions\{cd48e0bd-6c04-4eea-a2c2-1df17d4966a3}\install.rdf
    c:\users\mmcook\AppData\Roaming\Obfo\doenqia.exe
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\svchost.exe
    c:\windows\system32\consrv.dll
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\drivers\etc\hosts.txt
    c:\windows\System64
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Meeples\AppData\Local\temp
    2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\users\Andrew & Connor\AppData\Local\temp
    2012-04-14 05:02 . 2012-04-14 05:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-04-14 00:39 . 2012-04-14 00:39 747416 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-04-14 00:26 . 2012-04-14 00:26 -------- d-----w- c:\users\mmcook\transfer
    2012-04-13 22:26 . 2012-04-13 22:26 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-13 22:24 . 2012-04-13 22:21 323072 ----a-w- c:\programdata\QkqnRvQCEE.exe
    2012-04-13 01:22 . 2012-04-14 05:02 -------- d-----w- c:\users\mmcook\AppData\Roaming\Obfo
    2012-04-13 01:22 . 2012-04-13 01:23 -------- d-----w- c:\users\mmcook\AppData\Roaming\Maac
    2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe
    2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe
    2012-04-13 01:22 . 2012-04-13 01:22 148992 ----a-w- c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe
    2012-04-12 03:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-12 03:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-12 03:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-12 03:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-12 03:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-12 03:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-12 03:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-09 23:42 . 2012-04-09 23:42 -------- d--h--w- c:\program files (x86)\Microsoft Security Client
    2012-04-09 23:42 . 2012-04-11 05:02 -------- d--h--w- c:\program files\Microsoft Security Client
    2012-03-23 23:44 . 2012-04-11 05:35 -------- d--h--w- c:\users\Meeples\AppData\Local\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 19:56 . 2009-12-06 18:43 24904 ---ha-w- c:\windows\system32\drivers\mbam.sys
    2012-02-17 06:38 . 2012-03-14 07:16 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-14 07:16 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-14 07:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-14 07:16 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-10 06:36 . 2012-03-14 07:17 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-14 07:17 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-02-04 16:25 . 2011-06-22 23:15 414368 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-03 04:34 . 2012-03-14 07:17 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-01-25 06:38 . 2012-03-14 07:16 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-01-25 06:38 . 2012-03-14 07:16 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-01-25 06:33 . 2012-03-14 07:16 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\11\ISUSPM.exe" [2008-09-26 210208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "cwcptray"="c:\program files (x86)\ContentWatch\Internet Protection\cwtray.exe" [2010-12-11 353600]
    "nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-17 976832]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "QkqnRvQCEE.exe"="c:\programdata\QkqnRvQCEE.exe" [2012-04-13 323072]
    .
    c:\users\mmcook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-12 113664]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
    kofatu.exe [2012-4-12 148992]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
    R4 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-05-01 181544]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
    S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
    S2 CwAltaService20;ContentWatch;c:\program files (x86)\ContentWatch\Internet Protection\cwsvc.exe [2010-12-11 2100544]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
    S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
    S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
    "combofix"="c:\combofix\CF31561.3XE" [2010-11-20 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\cwalsp.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{058EBD97-84C5-452A-9433-C54A9896D2Aa} - c:\windows\SysWow64\wscui32.dll
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
    Wow6432Node-HKCU-Run-{D6D291BC-AD64-8943-4893-465406344EC6} - c:\users\mmcook\AppData\Roaming\Obfo\doenqia.exe
    Wow6432Node-HKCU-Run-dcafecfdct - c:\programdata\dcafecfdct.exe
    Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
    Wow6432Node-HKLM-Run-cpQeUCMUEXwA.exe - c:\programdata\cpQeUCMUEXwA.exe
    Wow6432Node-HKLM-Run-NaDwLaiRnW.exe - c:\programdata\NaDwLaiRnW.exe
    Wow6432Node-HKLM-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
    Wow6432Node-HKU-Default-Run-AppsUpdate - c:\users\mmcook\AppData\Local\Apps\AppsUpdate\Appsupdt32.exe
    Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
    Wow6432Node-HKU-Default-Run-dcafecfdct - c:\programdata\dcafecfdct.exe
    SafeBoot-Symantec Antvirus
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2341466117-3050677054-3231783024-1000\Software\SecuROM\License information*]
    "datasecu"=hex:fe,15,ac,b2,1a,3b,31,5c,89,b0,cd,56,20,81,76,1c,ad,8a,cf,7f,08,
    bc,6f,c4,b0,02,41,5e,0f,84,04,85,df,fe,c9,ac,80,13,0a,f6,13,7e,74,30,9b,15,\
    "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\Motive\McciCMService.exe
    c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
    c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-14 01:20:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-14 05:20
    .
    Pre-Run: 475,362,340,864 bytes free
    Post-Run: 477,203,619,840 bytes free
    .
    - - End Of File - - 3B15F58850F84D98DE26647069B75EDE
  4. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DiirLook::
    c:\users\mmcook\AppData\Roaming\Obfo
    c:\users\mmcook\AppData\Roaming\Maac
    
    
    File::
    c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe
    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe
    c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Computer can still not boot in normal mode without immediately crashing. I get the same series of error messages I posted before. Ran again in Safe Mode:


    ComboFix 12-04-13.01 - mmcook 04/14/2012 13:41:58.2.2 - x64 NETWORK
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.3427 [GMT -4:00]
    Running from: c:\users\mmcook\Desktop\ComboFix.exe
    Command switches used :: c:\users\mmcook\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe"
    "c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe"
    "c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Andrew & Connor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xiamys.exe
    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kofatu.exe
    c:\users\Meeples\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aribor.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Meeples\AppData\Local\temp
    2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-14 17:49 . 2012-04-14 17:49 -------- d-----w- c:\users\Andrew & Connor\AppData\Local\temp
    2012-04-14 00:39 . 2012-04-14 00:39 747416 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-04-14 00:26 . 2012-04-14 00:26 -------- d-----w- c:\users\mmcook\transfer
    2012-04-13 22:26 . 2012-04-13 22:26 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-13 22:24 . 2012-04-13 22:21 323072 ----a-w- c:\programdata\QkqnRvQCEE.exe
    2012-04-13 01:22 . 2012-04-14 05:02 -------- d-----w- c:\users\mmcook\AppData\Roaming\Obfo
    2012-04-13 01:22 . 2012-04-13 01:23 -------- d-----w- c:\users\mmcook\AppData\Roaming\Maac
    2012-04-12 03:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-12 03:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-12 03:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-12 03:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-12 03:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-12 03:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-12 03:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-09 23:42 . 2012-04-09 23:42 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-04-09 23:42 . 2012-04-11 05:02 -------- d-----w- c:\program files\Microsoft Security Client
    2012-03-23 23:44 . 2012-04-11 05:35 -------- d-----w- c:\users\Meeples\AppData\Local\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 19:56 . 2009-12-06 18:43 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-17 06:38 . 2012-03-14 07:16 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-14 07:16 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-14 07:16 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-14 07:16 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-10 06:36 . 2012-03-14 07:17 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-14 07:17 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-02-04 16:25 . 2011-06-22 23:15 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-03 04:34 . 2012-03-14 07:17 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-01-25 06:38 . 2012-03-14 07:16 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-01-25 06:38 . 2012-03-14 07:16 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-01-25 06:33 . 2012-03-14 07:16 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-14_05.07.40 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-06 15:30 . 2012-04-14 05:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-06 15:30 . 2012-04-11 03:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-04-11 03:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-04-14 05:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:46 . 2012-04-07 10:54 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-07-14 04:46 . 2012-04-14 17:13 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2012-04-14 17:28 . 2012-04-14 17:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-04-14 05:04 . 2012-04-14 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-04-14 17:28 . 2012-04-14 17:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-04-14 05:04 . 2012-04-14 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 05:01 . 2012-04-08 04:09 420488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-04-14 17:13 420488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{058EBD97-84C5-452A-9433-C54A9896D2Aa}]
    c:\windows\SysWow64\wscui32.dll [BU]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\11\ISUSPM.exe" [2008-09-26 210208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "cwcptray"="c:\program files (x86)\ContentWatch\Internet Protection\cwtray.exe" [2010-12-11 353600]
    "nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
    "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-17 976832]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "QkqnRvQCEE.exe"="c:\programdata\QkqnRvQCEE.exe" [2012-04-13 323072]
    .
    c:\users\mmcook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-12 113664]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
    R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
    R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 CwAltaService20;ContentWatch;c:\program files (x86)\ContentWatch\Internet Protection\cwsvc.exe [2010-12-11 2100544]
    R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
    R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
    R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632]
    R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
    R4 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-05-01 181544]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\cwalsp.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\mmcook\AppData\Roaming\Mozilla\Firefox\Profiles\0zw9j5yw.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2341466117-3050677054-3231783024-1000\Software\SecuROM\License information*]
    "datasecu"=hex:fe,15,ac,b2,1a,3b,31,5c,89,b0,cd,56,20,81,76,1c,ad,8a,cf,7f,08,
    bc,6f,c4,b0,02,41,5e,0f,84,04,85,df,fe,c9,ac,80,13,0a,f6,13,7e,74,30,9b,15,\
    "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-04-14 13:51:12
    ComboFix-quarantined-files.txt 2012-04-14 17:51
    ComboFix2.txt 2012-04-14 05:20
    .
    Pre-Run: 477,251,506,176 bytes free
    Post-Run: 477,038,698,496 bytes free
    .
    - - End Of File - - 84362E710BE311238CDC5FABB8AD5C7F
  6. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    What are the error messages when you boot to normal mode/
  7. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    I am getting three different types of error messages right now.

    (1) On Boot I get multiple (like 20) pop-ups that say "System Message Write Fault Error" "A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception error when using a reference to an invalid system mempry access." I am then given the choices of Cancel/Try Again/Continue. I have typically clicked cancel or continue through these pop-ups.

    (2) That is immediately followed by a pop up that says "System Error Hard Disk Failure. Windows has lost access to the system partition during I/O process. This may also lead to potential loss of data. Highly recommended to run complete HDD scan to prevent lost of files, applications and documents.

    (The message has a spelling error in it when it says recommended to run the scan to prevent "lost" of data instead of "Loss".)

    I am given the choices of Scan and Repair or Scan Later (reboot required). I have always just closed this box without selecting anything and then the computer reboots itself.

    (3) I also get another error message occasionally when running in Safe Mode which says: "There is a problem with your ContentWatch Installation. Please try to uninstall and reinstall the program. If the problem persists contact customer support."

    Those are what I remember. I haven't tried to reboot into normal mode since the last run of Combofix.
  8. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Give me new aswMBR log.
  9. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Because I have no internet in Safe Mode it was unable to download the lastest virus definitions:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-15 13:49:01
    -----------------------------
    13:49:01.584 OS Version: Windows x64 6.1.7601 Service Pack 1
    13:49:01.584 Number of processors: 2 586 0x170A
    13:49:01.584 ComputerName: COOK-HOME UserName: mmcook
    13:49:02.505 Initialize success
    13:53:36.706 AVAST engine download error: 0
    13:53:39.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    13:53:39.046 Disk 0 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610480MB BusType: 3
    13:53:39.062 Disk 0 MBR read successfully
    13:53:39.062 Disk 0 MBR scan
    13:53:39.062 Disk 0 Windows 7 default MBR code
    13:53:39.077 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
    13:53:39.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 7918 MB offset 112640
    13:53:39.093 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 602506 MB offset 16328704
    13:53:39.109 Disk 0 scanning C:\Windows\system32\drivers
    13:53:44.288 Service scanning
    13:53:57.844 Modules scanning
    13:53:57.844 Disk 0 trace - called modules:
    13:53:57.860 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    13:53:57.860 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80048b0060]
    13:53:57.875 3 CLASSPNP.SYS[fffff880019b543f] -> nt!IofCallDriver -> [0xfffffa8004370520]
    13:53:57.875 5 ACPI.sys[fffff88000eee7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004372060]
    13:53:57.875 Scan finished successfully
    13:56:07.059 Disk 0 MBR has been saved successfully to "C:\Users\mmcook\Desktop\MBR.dat"
    13:56:07.059 The log file has been saved successfully to "C:\Users\mmcook\Desktop\aswMBR.txt"
  10. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Are you able to boot to Safe Mode with Networking?
  11. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    I do, but the internet still doesn't work....
     
  12. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center/Action Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  13. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Farbar Service Scanner Version: 01-03-2012
    Ran by mmcook (administrator) on 15-04-2012 at 16:08:20
    Running from "C:\Users\mmcook\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Nerwork
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.

    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.

    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem service is OK.
    The ServiceDll of EventSystem service is OK.

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
  14. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    According to the above log your internet connection should be working fine.
    What happens in Safe Mode with Networking?
    What are the indications that internet connection doesn't work?
  15. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    When I try to use Internet Explorer I get the message "Internet Explorer Cannot Display the Webpage." I am given the option to "Diagnose Connection Problems," but if I do that it tells me that diagnostics cannot be run in Safe Mode.

    Edit: and I am in Safe Mode with Networking now.

    Edit: I tried to load it a different way, and it attempts to load my homepage (yahoo) but never loads it. The "loading" symbol just circles and circles endlessly and never finishes.
  16. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    See if you can update MBAM.
  17. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    MBAM update does not work. It just freezes ("Not responding"). I have to go to the task manager to close it afterwards.

    Also, the pop up that I mentioned before "There is a problem with your ContentWatch Installation. Please try to uninstall and reinstall the program. If the problem persists contact customer support." Happens frequently.
  18. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
  19. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Ok I have created the Boot CD. The computer booted to the Reatogo-X-PE desktop. I checked the internet connection. At first, Internet explorer seemed like it was working. It loaded the Google homepage. I searched for Techspot and got search results. I clicked to go to Techspot, but then I was told IE could not load the page. I tried again and the Google homepage still loads, but as soon as I even start to type in a search term, IE closes completely. It's very strange.

    I then went to the Firefox browser and this one is working. I was able to navigate to this board and post this message.

    I am trying to run the OTLPE scan, but when I click that icon it pops up a window that asks me to Choose a Windows Directory. And then says "Browse for folder." I am not sure what to enter here. Am I supposed to choose the C drive? It says (Recovery) C: Or am I just supposed to click through and choose "My computer?" Or something else?
  20. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Navigate to a folder where Windows is actually installed.
    That would be C:\Windows
  21. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    I clicked for the C drive and another set of choices dropped down. "Boot" "Dell" "Recovery" and "System Volume Information"

    I tried to just choose the Folder Recovery C, and received a runscanner error message stating "Target is not Windows 2000 or later."
  22. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Using another working computer download following tool, transfer it to bad computer and run it from safe mode...

    Please click HERE to download Kaspersky Virus Removal Tool.

    • Double click on the file you just downloaded and let it install.
    • It will install to your desktop (be patient; it may take a while).
    • Accept license agreement and click "Start" button.
    • Click on Settings button [​IMG]
      • In Scan scope leave pre-checked items as they're and also checkmark My Computer
      • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
    • Click on Automatic Scan tab and then click on Start scanning button.
    • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
    • When the scan is done NO log will be produced.
    • Click on Report button [​IMG] then on Automatic Scan report tab.
    • Right click anywhere within right pane, click Select All then right click again and click Copy.
    • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    • You can save this on the desktop.
    • Post the contents of the document in your next reply.
  23. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    Just to be clear, you want me to reboot the computer from the hard-drive this time (not the boot CD) into safe mode and run the new program? Or still use the boot CD?
  24. Broni

    Broni Malware Annihilator Posts: 46,447   +252

    Yes.
  25. mmcook

    mmcook Newcomer, in training Topic Starter Posts: 75

    This looks too big for the USB I've been using. I shall try to find something with more memory to try to transfer this.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.