Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another foolish misuse of Combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 Day64

Day64

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 20 December 2011 - 04:31 AM

Well, here I am. In the midsts of the story I'm sure you've heard a million times.

Caught myself a nasty Win 7 virus resulting in all the classic symptoms. The Virus rewrote my registry so that everything pointed to it. Well, the combined effort of MBAM and Comodo securities (along with a few manual deletions) allowed me to rid myself of it. However it left me with a destroyed registry. I managed to import an entirely fresh registry from online (and I stress how difficult it was just GETTING online without a proper registry). And with that, everything was repaired and I thought no more into it.

However my little viral battle wasn't done yet! Suddenly an odd piece of malware kept popping up. However Comodo caught it and closed it everytime, still, this didn't stop it from constantly reappearing. After a few redirected google searches, I did some research and it became painfully apparent that I had been stricken with the ping.exe virus. Either the root of the Win 7 bug, or a left over result. The odd thing was, Comodo wouldn't allow it through, resulting in a thounsand 'prevented intrusions' on my comodo menu, and ping only popping up in processes once every so often.
Considering the way the ping.exe worked, I could have just left it alone. The redirected searches were livable, and comodo wouldn't allow it exist long enough to chew up more than 5% of my CPU at a time. However it agitated me so I set out to rid myself of it.
MBAM and Comodo each managed to scan something and delete it, but neither of these seemed to get rid of the aformentioned ping.exe. Growing frustrated at the failure of my 'all-star defense' I begin calling for outside reinforment. Some research, a little Kaspersky, an attempt with PC Doctor, and a few other things all managed to result in failure. Even manual deletion failed and I was growing rather sickened by the whole ordeal considering my ability to easily due away with malware up until that point.

Well, through out my research, I constantly saw the program Combofix brought up along with the many warnings of it's dangers. I sort of chalked it up to being like an atom bomb, destroying essentialy everything with out prejudice. I can't help but laugh now looking back at how true that metaphor really was!
Considering the warnings, I avoided it, and deemed it 'my last ditch effort before simply reformatting' which quickly became more and more likely as nothing I tried worked. So finally I decided to give it a try, with out ACTUALLY reading any information on it. I understand this was my mistake and sort of puts me on the deserving end of this whole fiasco, but you can't blame me for finally giving in and asking for help from the proffesionals I tried so hard to emulate.
And here I am! The effects of the ping.exe virus are completely gone (though oddly enough the physical file I had associated with the virus still remains... So either I was wrong or even the still living virus finds itself debilitated). But along with it went my entire registry, yet again! This time to a far worse degree however. Nothing short of windows explorer will open. Any and all programs from comodo to wordpad refuse to open much less operate. Even the remaining file I had imported to rewrite my registry the first time refuses to open! It was by some odd luck that I had managed to get online. Luckily for me the trick I had used to first time my registry had been wreaked worked once more! Simply going into favorites and clicking on one, IE would open. Note, these are the only files that reacted in any positive fashion as everthing else says the wonderful error of:

C:\(Original location of program being asked to run)
Illegal operation attempted on registry key that has been marked for deletion.

Followed by windows asking me if I'd like to remove the shortcut or file asking to use a 'no longer working program' and what not.
The fact is, windows explorer still works, and all of my personal files are still reachable. So backing up my system and reformatting is still ENTIRELY do-able and looking like my best bet considering combofix had failed (albiet far less worse than it had for some, it wasn't until after I used Combofix that I finally looked it up and realized just how 'prescription strength' it really was).
So here I am, trying one last thing primarily due to my extreme desire NOT to have to back anything up, as my method of 'backup' involves 'waterbucket' carring over 9 gigs of files on a 2 gig SD from one PC onto another...

Do I deserve help? No not really. It was my mistake by all accounts. But if I can avoid having to go so far as a complete reformat I will. Mainly cause I fear I may have losted my Windows 7 OS disc....



Notepad won't open, but with IE up, I can open a few text files the hard way. I feel these maybe helpful.

After the scan, Combofix left me with a beautiful report of everything it had destroyed:

C:\ComboFix.txt
ComboFix 11-12-19.03 - Dayton Chevalier 12/20/2011 2:13.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1916.1029 [GMT -5:00]
Running from: c:\users\Dayton Chevalier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MH7UV64R\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\304740a6t017u215p041i7jpv2k3
c:\programdata\370173d2u587h743k306j0xyi3v8
c:\programdata\3b23qo0m53f805
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
c:\users\Dayton Chevalier\AppData\Local\bdw.exe
c:\users\Dayton Chevalier\AppData\Local\isy.exe
c:\users\Dayton Chevalier\AppData\Local\ogh.exe
c:\users\Dayton Chevalier\AppData\Roaming\completescan
c:\users\Dayton Chevalier\AppData\Roaming\install
c:\users\Dayton Chevalier\AppData\Roaming\Local
c:\users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\304740a6t017u215p041i7jpv2k3
c:\users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\370173d2u587h743k306j0xyi3v8
c:\windows\system32\consrv.dll
c:\windows\system32\Thumbs.db
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 07:32 . 2011-12-20 07:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-19 04:11 . 2011-12-19 18:58 41200 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\users\Dayton Chevalier\AppData\Local\COMODO
2011-12-14 00:16 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 00:16 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 00:16 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 00:16 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 00:15 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 00:15 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 00:05 . 2011-12-14 00:05 -------- d-----w- c:\program files\Windows Live
2011-12-13 23:56 . 2009-09-04 22:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2011-12-13 23:56 . 2009-09-04 22:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll
2011-12-13 23:56 . 2009-09-04 22:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll
2011-12-13 23:56 . 2009-09-04 22:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-12-06 06:40 . 2011-12-06 06:41 -------- d-----w- c:\users\Dayton Chevalier\.Swap_Tilesets_in_VX_Editor
2011-12-05 03:41 . 2011-12-05 03:41 -------- d-----w- c:\program files (x86)\SwapXT
2011-12-03 03:02 . 2011-12-03 03:02 -------- d-----w- c:\program files (x86)\Enterbrain
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 18:59 . 2011-01-06 22:37 93200 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 18:59 . 2011-01-06 22:37 43248 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59 . 2011-01-06 22:36 577824 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59 . 2011-01-06 22:36 22696 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58 . 2010-12-29 06:42 301224 ----a-w- c:\windows\SysWow64\guard32.dll
2011-12-19 18:58 . 2010-12-29 06:42 389840 ----a-w- c:\windows\system32\guard64.dll
2011-12-14 00:07 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-19 22:05 . 2011-11-19 22:05 1163348 ----a-w- c:\windows\THE_LEGEND_OF_ZELDA_25th_ANNIVERSARYUninst.exe
2011-11-19 22:05 . 2011-11-19 22:05 16590692 ----a-w- c:\windows\THE_LEGEND_OF_ZELDA_25th_ANNIVERSARY.scr
2011-10-26 00:25 . 2010-08-20 06:24 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2011-10-26 00:25 . 2010-08-20 06:24 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2011-10-24 03:27 . 2011-10-24 03:27 271424 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-10-16 03:45 . 2011-08-08 18:44 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-29 16:29 . 2011-11-08 22:13 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-04 39408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-24 1242448]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2011-08-17 4527424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2011-10-26 273528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 135664]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 psdrv3;PrimeSensor Device Driver Service v3.x;c:\windows\system32\Drivers\psdrv3.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 22:16]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 22:16]
.
2011-11-28 c:\windows\Tasks\Norton Security Scan for Dayton Chevalier.job
- c:\progra~2\NORTON~2\Engine\360~1.31\Nss.exe [2011-10-26 15:22]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-18 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-18 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-18 410648]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-19 9454920]
"combofix"="c:\combofix\CF31812.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Dayton Chevalier\AppData\Roaming\Mozilla\Firefox\Profiles\gjy3o59j.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage|chrome://branding/locale/browserconfig.properties
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-17498965.sys
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B} - c:\programdata\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}\Best Buy Software Installer Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2011-12-20 02:56:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 07:56
.
Pre-Run: 142,891,507,712 bytes free
Post-Run: 142,492,729,344 bytes free
.
- - End Of File - - 01AA30C5D0DE75CB50B26D696F387F3B


It also left an interesting new folder called C:\Qoobox which included a BackEnv folder (which I can't enter) and a Quarantine folder which appears to hold some of the files that were deleted! It also as a snapshot@(current date).dat and a couple of text files that maybe useful.

C:\Qoobox\Add-Remove Programs.txt
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Anvil Studio 2011
Apple Application Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Audacity 1.2.6
Cave Story Deluxe
Compatibility Pack for the 2007 Office system
Crystal Reports for Visual Studio
D3DX10
DAEMON Tools Pro
Dotfuscator Software Services - Community Edition
ffdshow
Free RAR Extract Frog
GIMP 2.6.11
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2542054)
Intel® Graphics Media Accelerator Driver
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java™ 6 Update 27
Junk Mail filter update
Label@Once 1.0
LADSPA_plugins-win-0.4.15
LAME v3.98.2 for Audacity
LMMS 0.4.10
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Office Click-to-Run 2010
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2010 - English
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Suite Activation Assistant
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Professional - ENU
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio Macro Tools
Microsoft Works
Mozilla Firefox 8.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP3 Parser (KB973685)
Nintendo_History_ScreenSaver
Norton Security Scan
Notepad++
OpenOffice.org 3.2
Pando Media Booster
Portal
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
RPG Maker VX
RPG Maker VX RTP
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2251489)
Skype Toolbars
Skype™ 5.5
Steam
SwapXT 1.0
System Requirements Lab for Intel
THE_LEGEND_OF_ZELDA_25th_ANNIVERSARY
TOSHIBA Application Installer
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
ToshibaRegistration
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Utawarerumono English v1.1
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo! Software Update
Yahoo! Toolbar
Yume Nikki 0.10 English v3
Zelda Classic 2.10w
ZSNESw 1.51


C:\Qoobox\ComboFix-quarantined-files.txt
2011-12-20 07:53:29 . 2011-12-20 07:53:29 544 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B}.reg.dat
2011-12-20 07:53:29 . 2011-12-20 07:53:29 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat
2011-12-20 07:53:02 . 2011-12-20 07:53:02 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TosReelTimeMonitor.reg.dat
2011-12-20 07:53:02 . 2011-12-20 07:53:02 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TosNC.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-00TCrdMain.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SmoothView.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TPwrMain.reg.dat
2011-12-20 07:52:56 . 2011-12-20 07:52:56 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
2011-12-20 07:52:39 . 2011-12-20 07:52:39 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-(Default).reg.dat
2011-12-20 07:52:39 . 2011-12-20 07:52:39 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-12-20 07:52:38 . 2011-12-20 07:52:38 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-12-20 07:51:44 . 2011-12-20 07:51:44 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-17498965.sys.reg.dat
2011-12-20 07:51:08 . 2011-12-20 07:51:08 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2011-12-20 07:22:28 . 2011-12-20 07:22:28 16,578 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-12-20 07:09:56 . 2011-12-20 07:09:56 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-12-15 00:52:55 . 2011-12-15 00:52:55 1,262 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\370173d2u587h743k306j0xyi3v8.vir
2011-12-15 00:52:55 . 2011-12-15 00:52:55 1,262 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\370173d2u587h743k306j0xyi3v8.vir
2011-12-14 00:36:20 . 2011-12-14 00:36:20 1,206 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\Microsoft\Windows\Templates\304740a6t017u215p041i7jpv2k3.vir
2011-12-14 00:36:20 . 2011-12-14 00:36:20 1,206 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\304740a6t017u215p041i7jpv2k3.vir
2011-12-04 03:28:29 . 2011-12-04 03:28:29 782 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\3b23qo0m53f805.vir
2011-11-25 18:47:38 . 2011-11-25 18:47:38 71,768 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat.vir
2011-11-25 18:46:43 . 2011-11-19 01:56:42 476,672 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll.vir
2011-11-25 18:46:43 . 2009-11-19 06:12:03 4,846 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico.vir
2011-11-25 18:46:43 . 2011-11-19 01:56:48 1,006,592 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll.vir
2011-11-25 18:46:04 . 2011-03-11 03:29:12 227,984 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe.vir
2011-04-18 18:31:55 . 2011-04-18 18:31:55 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\bdw.exe.vir
2011-04-17 07:24:46 . 2011-04-17 07:24:46 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\isy.exe.vir
2011-04-17 03:23:49 . 2011-04-17 03:23:49 586,752 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Local\ogh.exe.vir
2010-11-30 05:42:50 . 2010-11-30 05:42:50 6 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\completescan.vir
2010-11-30 05:36:37 . 2010-11-30 05:36:37 10 ----a-w- C:\Qoobox\Quarantine\C\Users\Dayton Chevalier\AppData\Roaming\install.vir
2010-04-04 21:38:02 . 2009-07-30 02:08:20 4,096 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Thumbs.db.vir
2009-07-13 23:31:13 . 2009-07-14 01:39:46 54,272 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir


If there's anything else I can add, please feel free to inform me. This is all I have for now. In the mean time...I suppose I'll work on 'backing up' my files. Thank you.

Edited by Day64, 20 December 2011 - 04:35 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 26 December 2011 - 04:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433526 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 PM

Posted 31 December 2011 - 04:50 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users