Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
Caught myself a nasty Win 7 virus resulting in all the classic symptoms. The Virus rewrote my registry so that everything pointed to it. Well, the combined effort of MBAM and Comodo securities (along with a few manual deletions) allowed me to rid myself of it. However it left me with a destroyed registry. I managed to import an entirely fresh registry from online (and I stress how difficult it was just GETTING online without a proper registry). And with that, everything was repaired and I thought no more into it.
However my little viral battle wasn't done yet! Suddenly an odd piece of malware kept popping up. However Comodo caught it and closed it everytime, still, this didn't stop it from constantly reappearing. After a few redirected google searches, I did some research and it became painfully apparent that I had been stricken with the ping.exe virus. Either the root of the Win 7 bug, or a left over result. The odd thing was, Comodo wouldn't allow it through, resulting in a thounsand 'prevented intrusions' on my comodo menu, and ping only popping up in processes once every so often.
Considering the way the ping.exe worked, I could have just left it alone. The redirected searches were livable, and comodo wouldn't allow it exist long enough to chew up more than 5% of my CPU at a time. However it agitated me so I set out to rid myself of it.
MBAM and Comodo each managed to scan something and delete it, but neither of these seemed to get rid of the aformentioned ping.exe. Growing frustrated at the failure of my 'all-star defense' I begin calling for outside reinforment. Some research, a little Kaspersky, an attempt with PC Doctor, and a few other things all managed to result in failure. Even manual deletion failed and I was growing rather sickened by the whole ordeal considering my ability to easily due away with malware up until that point.
Well, through out my research, I constantly saw the program Combofix brought up along with the many warnings of it's dangers. I sort of chalked it up to being like an atom bomb, destroying essentialy everything with out prejudice. I can't help but laugh now looking back at how true that metaphor really was!
Considering the warnings, I avoided it, and deemed it 'my last ditch effort before simply reformatting' which quickly became more and more likely as nothing I tried worked. So finally I decided to give it a try, with out ACTUALLY reading any information on it. I understand this was my mistake and sort of puts me on the deserving end of this whole fiasco, but you can't blame me for finally giving in and asking for help from the proffesionals I tried so hard to emulate.
And here I am! The effects of the ping.exe virus are completely gone (though oddly enough the physical file I had associated with the virus still remains... So either I was wrong or even the still living virus finds itself debilitated). But along with it went my entire registry, yet again! This time to a far worse degree however. Nothing short of windows explorer will open. Any and all programs from comodo to wordpad refuse to open much less operate. Even the remaining file I had imported to rewrite my registry the first time refuses to open! It was by some odd luck that I had managed to get online. Luckily for me the trick I had used to first time my registry had been wreaked worked once more! Simply going into favorites and clicking on one, IE would open. Note, these are the only files that reacted in any positive fashion as everthing else says the wonderful error of:
C:\(Original location of program being asked to run)
Illegal operation attempted on registry key that has been marked for deletion.
Followed by windows asking me if I'd like to remove the shortcut or file asking to use a 'no longer working program' and what not.
The fact is, windows explorer still works, and all of my personal files are still reachable. So backing up my system and reformatting is still ENTIRELY do-able and looking like my best bet considering combofix had failed (albiet far less worse than it had for some, it wasn't until after I used Combofix that I finally looked it up and realized just how 'prescription strength' it really was).
So here I am, trying one last thing primarily due to my extreme desire NOT to have to back anything up, as my method of 'backup' involves 'waterbucket' carring over 9 gigs of files on a 2 gig SD from one PC onto another...
Do I deserve help? No not really. It was my mistake by all accounts. But if I can avoid having to go so far as a complete reformat I will. Mainly cause I fear I may have losted my Windows 7 OS disc....
Notepad won't open, but with IE up, I can open a few text files the hard way. I feel these maybe helpful.
After the scan, Combofix left me with a beautiful report of everything it had destroyed:
C:\ComboFix.txt
ComboFix 11-12-19.03 - Dayton Chevalier 12/20/2011 2:13.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.1029 [GMT -5:00]
Running from: c:\users\Dayton Chevalier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MH7UV64R\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\304740a6t017u215p041i7jpv2k3
c:\programdata\370173d2u587h743k306j0xyi3v8
c:\programdata\3b23qo0m53f805
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
c:\users\Dayton Chevalier\AppData\Local\bdw.exe
c:\users\Dayton Chevalier\AppData\Local\isy.exe
c:\users\Dayton Chevalier\AppData\Local\ogh.exe
c:\users\Dayton Chevalier\AppData\Roaming\completescan
c:\users\Dayton Chevalier\AppData\Roaming\install
c:\users\Dayton Chevalier\AppData\Roaming\Local
c:\users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\304740a6t017u215p041i7jpv2k3
c:\users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\370173d2u587h743k306j0xyi3v8
c:\windows\system32\consrv.dll
c:\windows\system32\Thumbs.db
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 07:32 . 2011-12-20 07:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-19 04:11 . 2011-12-19 18:58 41200 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\users\Dayton Chevalier\AppData\Local\COMODO
2011-12-14 00:16 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 00:16 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 00:16 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 00:16 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 00:15 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 00:15 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 00:05 . 2011-12-14 00:05 -------- d-----w- c:\program files\Windows Live
2011-12-13 23:56 . 2009-09-04 22:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2011-12-13 23:56 . 2009-09-04 22:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll
2011-12-13 23:56 . 2009-09-04 22:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll
2011-12-13 23:56 . 2009-09-04 22:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-12-06 06:40 . 2011-12-06 06:41 -------- d-----w- c:\users\Dayton Chevalier\.Swap_Tilesets_in_VX_Editor
2011-12-05 03:41 . 2011-12-05 03:41 -------- d-----w- c:\program files (x86)\SwapXT
2011-12-03 03:02 . 2011-12-03 03:02 -------- d-----w- c:\program files (x86)\Enterbrain
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 18:59 . 2011-01-06 22:37 93200 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 18:59 . 2011-01-06 22:37 43248 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59 . 2011-01-06 22:36 577824 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59 . 2011-01-06 22:36 22696 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58 . 2010-12-29 06:42 301224 ----a-w- c:\windows\SysWow64\guard32.dll
2011-12-19 18:58 . 2010-12-29 06:42 389840 ----a-w- c:\windows\system32\guard64.dll
2011-12-14 00:07 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-19 22:05 . 2011-11-19 22:05 1163348 ----a-w- c:\windows\THE_LEGEND_OF_ZELDA_25th_ANNIVERSARYUninst.exe
2011-11-19 22:05 . 2011-11-19 22:05 16590692 ----a-w- c:\windows\THE_LEGEND_OF_ZELDA_25th_ANNIVERSARY.scr
2011-10-26 00:25 . 2010-08-20 06:24 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2011-10-26 00:25 . 2010-08-20 06:24 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2011-10-24 03:27 . 2011-10-24 03:27 271424 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-10-16 03:45 . 2011-08-08 18:44 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-29 16:29 . 2011-11-08 22:13 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-04 39408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-24 1242448]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2011-08-17 4527424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2011-10-26 273528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 135664]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 psdrv3;PrimeSensor Device Driver Service v3.x;c:\windows\system32\Drivers\psdrv3.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 22:16]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 22:16]
.
2011-11-28 c:\windows\Tasks\Norton Security Scan for Dayton Chevalier.job
- c:\progra~2\NORTON~2\Engine\360~1.31\Nss.exe [2011-10-26 15:22]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-18 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-18 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-18 410648]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-19 9454920]
"combofix"="c:\combofix\CF31812.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Dayton Chevalier\AppData\Roaming\Mozilla\Firefox\Profiles\gjy3o59j.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage|chrome://branding/locale/browserconfig.properties
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-17498965.sys
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B} - c:\programdata\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}\Best Buy Software Installer Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2011-12-20 02:56:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 07:56
.
Pre-Run: 142,891,507,712 bytes free
Post-Run: 142,492,729,344 bytes free
.
- - End Of File - - 01AA30C5D0DE75CB50B26D696F387F3B
It also left an interesting new folder called C:\Qoobox which included a BackEnv folder (which I can't enter) and a Quarantine folder which appears to hold some of the files that were deleted! It also as a snapshot@(current date).dat and a couple of text files that maybe useful.
C:\Qoobox\Add-Remove Programs.txt
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Anvil Studio 2011
Apple Application Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Audacity 1.2.6
Cave Story Deluxe
Compatibility Pack for the 2007 Office system
Crystal Reports for Visual Studio
D3DX10
DAEMON Tools Pro
Dotfuscator Software Services - Community Edition
ffdshow
Free RAR Extract Frog
GIMP 2.6.11
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2542054)
Intel® Graphics Media Accelerator Driver
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java™ 6 Update 27
Junk Mail filter update
Label@Once 1.0
LADSPA_plugins-win-0.4.15
LAME v3.98.2 for Audacity
LMMS 0.4.10
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Office Click-to-Run 2010
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2010 - English
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Suite Activation Assistant
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Professional - ENU
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio Macro Tools
Microsoft Works
Mozilla Firefox 8.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP3 Parser (KB973685)
Nintendo_History_ScreenSaver
Norton Security Scan
Notepad++
OpenOffice.org 3.2
Pando Media Booster
Portal
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
RPG Maker VX
RPG Maker VX RTP
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2251489)
Skype Toolbars
Skype™ 5.5
Steam
SwapXT 1.0
System Requirements Lab for Intel
THE_LEGEND_OF_ZELDA_25th_ANNIVERSARY
TOSHIBA Application Installer
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
ToshibaRegistration
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Utawarerumono English v1.1
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo! Software Update
Yahoo! Toolbar
Yume Nikki 0.10 English v3
Zelda Classic 2.10w
ZSNESw 1.51
C:\Qoobox\ComboFix-quarantined-files.txt
2011-12-20 07:53:29 . 2011-12-20 07:53:29 544 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B}.reg.dat
2011-12-20 07:53:29 . 2011-12-20 07:53:29 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat
2011-12-20 07:53:02 . 2011-12-20 07:53:02 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TosReelTimeMonitor.reg.dat
2011-12-20 07:53:02 . 2011-12-20 07:53:02 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TosNC.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-00TCrdMain.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SmoothView.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TPwrMain.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
2011-12-20 07:52:39 . 2011-12-20 07:52:39 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-(Default).reg.dat
2011-12-20 07:52:39 . 2011-12-20 07:52:39 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-12-20 07:52:38 . 2011-12-20 07:52:38 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-12-20 07:51:44 . 2011-12-20 07:51:44 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-17498965.sys.reg.dat
2011-12-20 07:51:08 . 2011-12-20 07:51:08 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2011-12-20 07:22:28 . 2011-12-20 07:22:28 16,578 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-12-20 07:09:56 . 2011-12-20 07:09:56 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-12-15 00:52:55 . 2011-12-15 00:52:55 1,262 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\370173d2u587h743k306j0xyi3v8.vir
2011-12-15 00:52:55 . 2011-12-15 00:52:55 1,262 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\370173d2u587h743k306j0xyi3v8.vir
2011-12-14 00:36:20 . 2011-12-14 00:36:20 1,206 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\304740a6t017u215p041i7jpv2k3.vir
2011-12-14 00:36:20 . 2011-12-14 00:36:20 1,206 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\304740a6t017u215p041i7jpv2k3.vir
2011-12-04 03:28:29 . 2011-12-04 03:28:29 782 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\3b23qo0m53f805.vir
2011-11-25 18:47:38 . 2011-11-25 18:47:38 71,768 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat.vir
2011-11-25 18:46:43 . 2011-11-19 01:56:42 476,672 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll.vir
2011-11-25 18:46:43 . 2009-11-19 06:12:03 4,846 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico.vir
2011-11-25 18:46:43 . 2011-11-19 01:56:48 1,006,592 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll.vir
2011-11-25 18:46:04 . 2011-03-11 03:29:12 227,984 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe.vir
2011-04-18 18:31:55 . 2011-04-18 18:31:55 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\bdw.exe.vir
2011-04-17 07:24:46 . 2011-04-17 07:24:46 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\isy.exe.vir
2011-04-17 03:23:49 . 2011-04-17 03:23:49 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\ogh.exe.vir
2010-11-30 05:42:50 . 2010-11-30 05:42:50 6 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\completescan.vir
2010-11-30 05:36:37 . 2010-11-30 05:36:37 10 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\install.vir
2010-04-04 21:38:02 . 2009-07-30 02:08:20 4,096 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Thumbs.db.vir
2009-07-13 23:31:13 . 2009-07-14 01:39:46 54,272 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir
If there's anything else I can add, please feel free to inform me. This is all I have for now. In the mean time...I suppose I'll work on 'backing up' my files. Thank you.
Back to top
