Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Critical Error Restart Loop Windows keep restarting showing same erro message everytime


  • This topic is locked This topic is locked
53 replies to this topic

#1 mdrater2012

mdrater2012

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 02 September 2012 - 07:28 PM

Good Day This the same Problem discriped by jserrata2010 posted 19 july 2012 .. Recently my desktop started getting an error stating: "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now."

I tried running safe mode and disconnecting it from the internet, but the errors keeps popping up causing the PC to restart before I could even back up any of my files.

This is my sisters Machine and it has been run for a while with no anti virus protection.
Iam unable to start windows fire wall
Unable to down load windows update
unable to start Windows defender.

Ran malware bits and a few items were caught

re-boot isue started when i was able to load window esentail security
it showed 2 installer infections and a 1 Trojan Infection.
But because of short time before reboot essential does not have tome to finish.

I can not get auto restart to disable .

Start up in safe mode - still loops to restart.

I had used MSconfig to close startup programs and now i am not able to get msconfig to start up.

Machine is a -- Dell, Inspiron 530S - Windows Vista SP1 - 64 bit system

Following other you have helped I have run a few of the requested steps.

With Flash Drive Run - Farbar Recovery Scan Tool x64 ,, using Scan and services , info below
---Scan ---

Scan result of Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 02-09-2012 17:27:23
Running from D:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet003

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe" [138264 2008-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe" [203800 2008-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] "C:\Windows\system32\igfxpers.exe" [168472 2008-02-11] (Intel Corporation)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\owner\...\Run: [SearchEngineProtection] "C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe" [591248 2011-03-03] (Oberon Media )
HKU\owner\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-10-09] (Google Inc.)
HKU\owner\...\Policies\system: [DisableCMD] 0
HKU\owner\...\Policies\system: [NoDispAppearancePage] 0
HKU\owner\...\Policies\system: [NoDispBackgroundPage] 0
HKU\owner\...\Policies\system: [NoDispSettingsPage] 0
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )

==================== Services (Whitelisted) ======

2 AGCoreService; "C:\Program Files\AGI\core\3.0\AGCoreService.exe" [40960 2009-02-05] (AG Interactive)
2 Automatic LiveUpdate Scheduler; "C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe" [243064 2008-01-09] (Symantec Corporation)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software)
3 LiveUpdate; "C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE" [3192184 2008-01-09] (Symantec Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ===================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-08-21] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-08-21] (AVAST Software)
1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [44272 2012-08-21] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [969200 2012-08-21] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [359464 2012-08-21] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-08-21] (AVAST Software)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
0 WRkrn; C:\Windows\System32\Drivers\WRkrn.sys [111656 2012-03-09] (Webroot)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 SymIM; C:\Windows\System32\DRIVERS\SymIM.sys [x]
3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-02 17:26 - 2012-09-02 17:26 - 00000000 ____D C:\FRST
2012-09-01 04:29 - 2012-09-01 04:29 - 00000034 ____A C:\Windows\setupact.log
2012-09-01 04:29 - 2012-09-01 04:29 - 00000000 ____A C:\Windows\setuperr.log
2012-08-30 18:10 - 2012-08-30 18:10 - 00000316 ____A C:\Windows\PFRO.log
2012-08-30 17:59 - 2012-08-30 18:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-30 17:59 - 2012-08-30 17:59 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-30 17:57 - 2012-08-30 17:57 - 00000000 ____D C:\8fa2faf48c4854a9c63f93c24415f13d
2012-08-30 17:51 - 2012-08-30 17:51 - 00000000 ____D C:\Program Files\Microsoft ATS
2012-08-30 17:20 - 2012-08-30 17:20 - 00002027 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-30 17:19 - 2012-09-02 09:45 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-30 17:19 - 2012-09-02 08:29 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-30 17:19 - 2012-08-30 17:19 - 00001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-08-30 17:19 - 2012-08-30 17:19 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-30 17:19 - 2012-08-21 01:13 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-30 17:19 - 2012-08-21 01:13 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-30 17:19 - 2012-08-21 01:13 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-30 17:19 - 2012-08-21 01:13 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-30 17:19 - 2012-08-21 01:13 - 00044272 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-08-30 17:19 - 2012-08-21 01:13 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-30 17:19 - 2012-08-21 01:12 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-30 17:18 - 2012-08-30 17:19 - 00426434 ____A C:\Users\owner\AppData\Local\dd_vcredistMSI467E.txt
2012-08-30 17:18 - 2012-08-30 17:19 - 00011614 ____A C:\Users\owner\AppData\Local\dd_vcredistUI467E.txt
2012-08-30 17:18 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-30 17:18 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-30 17:17 - 2012-08-30 17:17 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-08-30 17:17 - 2012-08-30 17:17 - 00000000 ____D C:\Program Files\AVAST Software
2012-08-30 17:14 - 2012-08-30 17:14 - 93654616 ____A C:\Users\owner\Downloads\avast_free_antivirus_setup.exe
2012-08-30 16:51 - 2012-09-02 09:34 - 00005105 ____A C:\Windows\WindowsUpdate.log
2012-08-30 16:49 - 2012-08-30 16:49 - 00001676 ____A C:\Users\owner\Documents\cc_20120830_204937.reg
2012-08-30 16:18 - 2012-08-30 16:28 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
2012-08-28 07:54 - 2012-08-28 07:54 - 00011087 ____A C:\Users\owner\Documents\DUB SEP 12 ANA ESPINOSA APT 1.xlsx
2012-08-18 20:16 - 2012-08-18 20:16 - 00000772 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-08-18 20:16 - 2012-08-18 20:16 - 00000000 ____D C:\Program Files\CCleaner
2012-08-18 20:06 - 2012-08-18 20:06 - 00000402 ____A C:\Users\owner\Desktop\repair.bat
2012-08-18 20:05 - 2012-08-18 20:05 - 00000402 ____A C:\Users\owner\Desktop\repair.txt
2012-08-18 17:43 - 2012-08-18 17:43 - 00000000 ____D C:\Users\owner\AppData\Roaming\Malwarebytes
2012-08-18 17:42 - 2012-08-18 17:42 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-18 17:42 - 2012-08-18 17:42 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-18 17:42 - 2012-08-18 17:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-18 17:42 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-18 17:40 - 2012-08-18 17:40 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-18 15:25 - 2012-08-30 17:59 - 00842484 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-18 15:24 - 2012-08-18 15:24 - 00000000 ____D C:\inetpub
2012-08-18 14:47 - 2012-08-30 19:39 - 00000000 ____D C:\Windows\pss
2012-08-18 13:55 - 2012-08-18 13:55 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-18 13:55 - 2012-08-18 13:55 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-18 13:55 - 2012-08-18 13:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-18 13:55 - 2012-08-18 13:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-18 13:45 - 2012-08-18 13:45 - 00001919 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-13 17:39 - 2012-08-13 17:39 - 00000000 ____D C:\BigFishGamesCache
2012-08-08 07:48 - 2012-08-08 07:48 - 00000000 __SHD C:\Windows\System32\%APPDATA%

==================== 3 Months Modified Files ================================

2012-09-02 09:45 - 2012-08-30 17:19 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-02 09:45 - 2008-01-20 18:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-09-02 09:43 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-02 09:43 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-02 09:43 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-02 09:34 - 2012-08-30 16:51 - 00005105 ____A C:\Windows\WindowsUpdate.log
2012-09-02 09:27 - 2006-11-02 07:42 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-02 08:56 - 2008-09-26 12:54 - 00000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{A3AF18B4-18F0-4A5D-8809-5BA977432849}.job
2012-09-02 08:29 - 2012-08-30 17:19 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-01 04:29 - 2012-09-01 04:29 - 00000034 ____A C:\Windows\setupact.log
2012-09-01 04:29 - 2012-09-01 04:29 - 00000000 ____A C:\Windows\setuperr.log
2012-08-30 19:44 - 2008-09-29 15:15 - 00002651 ____A C:\Users\owner\Desktop\Microsoft Office Word 2007.lnk
2012-08-30 18:52 - 2006-11-02 07:21 - 00027648 _____ C:\Windows\System32\umstartup.etl
2012-08-30 18:10 - 2012-08-30 18:10 - 00000316 ____A C:\Windows\PFRO.log
2012-08-30 17:59 - 2012-08-18 15:25 - 00842484 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-30 17:20 - 2012-08-30 17:20 - 00002027 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-30 17:19 - 2012-08-30 17:19 - 00001787 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-08-30 17:19 - 2012-08-30 17:19 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-30 17:19 - 2012-08-30 17:18 - 00426434 ____A C:\Users\owner\AppData\Local\dd_vcredistMSI467E.txt
2012-08-30 17:19 - 2012-08-30 17:18 - 00011614 ____A C:\Users\owner\AppData\Local\dd_vcredistUI467E.txt
2012-08-30 17:14 - 2012-08-30 17:14 - 93654616 ____A C:\Users\owner\Downloads\avast_free_antivirus_setup.exe
2012-08-30 17:08 - 2006-11-02 04:46 - 00824576 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-30 16:49 - 2012-08-30 16:49 - 00001676 ____A C:\Users\owner\Documents\cc_20120830_204937.reg
2012-08-30 16:28 - 2012-08-30 16:18 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
2012-08-28 14:41 - 2008-09-29 15:15 - 00002609 ____A C:\Users\owner\Desktop\Microsoft Office Excel 2007.lnk
2012-08-28 14:00 - 2010-01-04 07:05 - 00000466 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2012-08-28 08:28 - 2009-03-26 05:39 - 00000880 ____A C:\Windows\Tasks\Google Software Updater.job
2012-08-28 07:54 - 2012-08-28 07:54 - 00011087 ____A C:\Users\owner\Documents\DUB SEP 12 ANA ESPINOSA APT 1.xlsx
2012-08-24 05:28 - 2012-07-17 17:18 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-24 05:28 - 2011-06-28 01:24 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-21 01:13 - 2012-08-30 17:19 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-21 01:13 - 2012-08-30 17:19 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-21 01:13 - 2012-08-30 17:19 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 01:13 - 2012-08-30 17:19 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-21 01:13 - 2012-08-30 17:19 - 00044272 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-08-21 01:13 - 2012-08-30 17:19 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-21 01:12 - 2012-08-30 17:19 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 01:12 - 2012-08-30 17:18 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-21 01:12 - 2012-08-30 17:18 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-18 20:16 - 2012-08-18 20:16 - 00000772 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-08-18 20:06 - 2012-08-18 20:06 - 00000402 ____A C:\Users\owner\Desktop\repair.bat
2012-08-18 20:05 - 2012-08-18 20:05 - 00000402 ____A C:\Users\owner\Desktop\repair.txt
2012-08-18 19:50 - 2006-11-02 04:34 - 00443281 ___RA C:\Windows\System32\Drivers\etc\hosts.20120828-203802.backup
2012-08-18 17:42 - 2012-08-18 17:42 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-18 17:40 - 2012-08-18 17:40 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\owner\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-18 13:55 - 2012-08-18 13:55 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-08-18 13:55 - 2012-08-18 13:55 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-08-18 13:55 - 2012-08-18 13:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-08-18 13:55 - 2012-08-18 13:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-08-18 13:55 - 2011-06-10 06:08 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-18 13:45 - 2012-08-18 13:45 - 00001919 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-15 14:37 - 2006-11-02 04:34 - 00443281 ___RA C:\Windows\System32\Drivers\etc\hosts.20120818-235021.backup
2012-08-11 21:08 - 2006-11-02 04:34 - 00443237 ___RA C:\Windows\System32\Drivers\etc\hosts.20120815-183747.backup
2012-08-03 18:18 - 2006-11-02 04:34 - 00443057 ___RA C:\Windows\System32\Drivers\etc\hosts.20120812-010809.backup
2012-07-30 11:23 - 2012-07-30 09:49 - 04503728 ___AT C:\Users\All Users\ras_0oed.pad
2012-07-24 11:16 - 2012-07-24 10:39 - 04503728 ___AT C:\Users\All Users\z7_0ytr.pad
2012-07-22 07:15 - 2012-03-04 10:00 - 00042224 ____A C:\Users\owner\Documents\Ennio counseling.pptx
2012-07-12 01:31 - 2012-07-09 15:20 - 00000680 ____A C:\Users\owner\AppData\Local\d3d9caps.dat
2012-07-03 09:46 - 2012-08-18 17:42 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 23:19 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-30 17:57 - 2012-06-30 17:57 - 00565936 ____A C:\Users\owner\AppData\Local\dd_vcredistMSI45E3.txt
2012-06-30 17:57 - 2012-06-30 17:56 - 00014290 ____A C:\Users\owner\AppData\Local\dd_vcredistUI45E3.txt

ZeroAccess:
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000001.@

ZeroAccess:
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\1afb2d56
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BA539D2CE99C05A180EC518EA2040D6A ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-22 12:38:57
Restore point made on: 2012-08-27 18:03:54
Restore point made on: 2012-08-28 08:34:30
Restore point made on: 2012-08-30 03:43:48
Restore point made on: 2012-08-30 17:17:38

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 4084.27 MB
Available physical RAM: 3660.03 MB
Total Pagefile: 3955.91 MB
Available Pagefile: 3639.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:455.96 GB) (Free:338.82 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (PUBLIC) (Removable) (Total:3.73 GB) (Free:3.7 GB) FAT32
8 Drive x: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:4.67 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 3822 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 10 GB 40 MB
Partition 3 Primary 456 GB 10 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 10 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 456 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D PUBLIC FAT32 Removable 3818 MB Healthy

==================================================================================

Last Boot: 2012-08-30 17:07

==================== End Of Log =============================

next Run is
Run FRST64 - Services.exe
Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-02 18:24:22
Running from D:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-12 07:54] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-12 07:54] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2008-01-20 18:49] - [2012-09-02 09:45] - 0384512 ____A (Microsoft Corporation) BA539D2CE99C05A180EC518EA2040D6A

====== End Of Search ======


Now I need Your magic touch for a fixlog to-- I hope --
Stop the looping an guide me further.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 12:12 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC\Desktop.ini 
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 03 September 2012 - 01:56 PM

Good Day Gringo, TY for yor help

Fix log , I have not restarted machine.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-03 14:42:55 Run:1
Running from D:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini not found.
C:\Windows\assembly\GAC_64\Desktop.ini not found.
C:\Windows\assembly\GAC\Desktop.ini not found.
C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b} moved successfully.
C:\Users\owner\AppData\Local\{7faaaafa-cf14-2f74-3593-878a94dc601b} moved successfully.

==== End of Fixlog ====

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 02:17 PM

Hello

Please restart the computer

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 03 September 2012 - 04:26 PM

Hello Gringo
Ihave restarted Sis's infected machine.
Has not done the reboot thing.
and had to connect to the net to down load combo fix
now using siss\'s machine to communicate.

Combofix Run.
Checked for running anti virus and all seemed to be off or out of date .
I did for get to check that windows fire wall was off befor running combofix.

I have checked Windows Security and all Items are now turned on .





ComboFix 12-09-03.07 - owner 09/03/2012 16:45:14.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4084.2650 [GMT -4:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\alotappbar
c:\program files (x86)\alotappbar\alotUninst.exe
c:\program files (x86)\alotappbar\bin\alotappbar.dll
c:\program files (x86)\alotappbar\bin\alothelper.dll
c:\program files (x86)\alotappbar\bin\ALOTSettings.exe
c:\program files (x86)\alotappbar\bin\alotwidgets.exe
c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll
c:\program files (x86)\PC MightyMax 2009
c:\program files (x86)\PC MightyMax 2009\pcmm2009.error.log
c:\programdata\ras_0oed.pad
c:\programdata\z7_0ytr.pad
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\Tutorials.url
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 20:55 . 2012-09-03 20:55 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\offreg.dll
2012-09-03 20:53 . 2012-09-03 20:56 -------- d-----w- c:\users\owner\AppData\Local\temp
2012-09-03 20:53 . 2012-09-03 20:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-03 01:26 . 2012-09-03 01:27 -------- d-----w- C:\FRST
2012-08-31 02:07 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39F7EC04-8DB0-46E2-9C88-DAB725552356}\gapaengine.dll
2012-08-31 02:07 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\mpengine.dll
2012-08-31 01:59 . 2012-08-31 01:59 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-31 01:59 . 2012-08-31 02:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-31 01:57 . 2012-08-31 01:57 -------- d-----w- C:\8fa2faf48c4854a9c63f93c24415f13d
2012-08-31 01:51 . 2012-08-31 01:51 -------- d-----w- c:\program files\Microsoft ATS
2012-08-31 01:19 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-31 01:19 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-31 01:19 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-31 01:19 . 2012-08-21 09:13 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-31 01:19 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-31 01:19 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-31 01:19 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-31 01:18 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-31 01:18 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\programdata\AVAST Software
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\program files\AVAST Software
2012-08-19 04:16 . 2012-08-19 04:16 -------- d-----w- c:\program files\CCleaner
2012-08-19 01:43 . 2012-08-19 01:43 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\programdata\Malwarebytes
2012-08-19 01:42 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-18 23:28 . 2012-08-19 01:37 -------- d-----w- c:\users\owner\AppData\Local\ElevatedDiagnostics
2012-08-18 23:24 . 2012-08-18 23:24 -------- d-----w- C:\inetpub
2012-08-18 21:55 . 2012-08-18 21:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-14 01:39 . 2012-08-14 01:39 -------- d-----w- C:\BigFishGamesCache
2012-08-08 15:48 . 2012-08-08 15:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 13:28 . 2012-07-18 01:18 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-24 13:28 . 2011-06-28 09:24 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-18 21:55 . 2011-06-10 14:08 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 07:19 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-29 10:04 . 2012-08-08 15:34 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8F6CC751-943B-4661-A859-8511462A3AF4}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 01:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2008-8-23 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-08 c:\windows\Tasks\DriverCure.job
- c:\program files (x86)\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]
.
2012-08-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-28 11:14]
.
2012-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-08-28 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2006-11-02 09:45]
.
2010-01-16 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-09-03 c:\windows\Tasks\User_Feed_Synchronization-{A3AF18B4-18F0-4A5D-8809-5BA977432849}.job
- c:\windows\system32\msfeedssync.exe [2011-07-14 04:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-08 15:55 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9df9b682-9c18-4a01-bac3-a265ca7cd866}"= "mscoree.dll" [2009-11-08 444752]
.
[HKEY_CLASSES_ROOT\CLSID\{9df9b682-9c18-4a01-bac3-a265ca7cd866}]
[HKEY_CLASSES_ROOT\EGToolbar.EGToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
txtfile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
BHO-{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2} - c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll
Toolbar-{A531D99C-5A22-449b-83DA-872725C6D0ED} - c:\program files (x86)\alotappbar\bin\ALOTHelper.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-alotAppbar - c:\program files (x86)\alotappbar\alotUninst.exe
AddRemove-FXCM Trading Station - c:\programdata\{ACABC2F9-44A4-4E51-B14F-01A564E7E99E}\TS2Install.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-09-03 17:03:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-03 21:03
.
Pre-Run: 387,307,130,880 bytes free
Post-Run: 387,671,904,256 bytes free
.
- - End Of File - - FFFA5324701C9FF183FAADC47396FD55

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 06:58 PM

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 03 September 2012 - 08:09 PM

Seams like it is running OK.
have been playing some solitare.

Some of the programs that would not open or run are functioning -
but i have not run any updates on them
IE - Wondows up date - 1 available, Malware removal tool
I see that Vista SP2 has failed to load
Defender opens did not run
these were a few not fuctioning when we started.




RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Admin rights]
Mode : Scan -- Date : 09/03/2012 20:56:43

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-75A7B0 ATA Device +++++
--- User ---
[MBR] ea51be4ccc23f96c00085860a13883ac
[BSP] 1af4d28bb70c03811e78e660b7f2fd28 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20561920 | Size: 466899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 08:43 PM

Hello


lets have rougekiller fix what it has found


--Run RogueKiller--

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator" to start
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 03 September 2012 - 09:07 PM

Hello Gringo
rogue Killer / Delete - run
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 64 bits version
Started in : Normal mode
User : owner [Admin rights]
Mode : Remove -- Date : 09/03/2012 22:00:43

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-75A7B0 ATA Device +++++
--- User ---
[MBR] ea51be4ccc23f96c00085860a13883ac
[BSP] 1af4d28bb70c03811e78e660b7f2fd28 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20561920 | Size: 466899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 09:16 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files (x86)\Ask.com
c:\program files (x86)\ParetoLogic\DriverCure

File::
c:\windows\Tasks\DriverCure.job

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 03 September 2012 - 10:55 PM

GOOD EVENING GRINGO
HAVING A BIT OF A PROBLEM

Ran Combo Fix
it Requested for microsoft essential to be shut off -
went into MSE and set real time protection - off
an hit continue

Now I Have Lost the Internet Conection and have not been able to re connect

Get Message - Error connecting to Netgear(router)
Connection through WAN Miniport (PPPP)E)...
Error 815

computer sees router not internet -
My computer connects wired to same router

tried to re start can not get it to connect.

I had to cut and paste with thumb nail to my computor.

ComboFix 12-09-03.07 - owner 09/03/2012 22:32:34.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4084.2701 [GMT -4:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
Command switches used :: c:\users\owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Tasks\DriverCure.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Ask.com
c:\program files (x86)\Ask.com\assets\oobe\b.png
c:\program files (x86)\Ask.com\assets\oobe\bl.png
c:\program files (x86)\Ask.com\assets\oobe\br.png
c:\program files (x86)\Ask.com\assets\oobe\l.png
c:\program files (x86)\Ask.com\assets\oobe\pointer.png
c:\program files (x86)\Ask.com\assets\oobe\r.png
c:\program files (x86)\Ask.com\assets\oobe\t.png
c:\program files (x86)\Ask.com\assets\oobe\tl.png
c:\program files (x86)\Ask.com\assets\oobe\tr.png
c:\program files (x86)\Ask.com\cobrand.ico
c:\program files (x86)\Ask.com\config.xml
c:\program files (x86)\Ask.com\favicon.ico
c:\program files (x86)\Ask.com\GenericAskToolbar.dll
c:\program files (x86)\Ask.com\mupcfg.xml
c:\program files (x86)\Ask.com\precache.exe
c:\program files (x86)\Ask.com\SaUpdate.exe
c:\program files (x86)\Ask.com\Updater\config.xml
c:\program files (x86)\Ask.com\Updater\Updater.exe
c:\program files (x86)\Ask.com\UpdateTask.exe
c:\program files (x86)\ParetoLogic\DriverCure
c:\program files (x86)\ParetoLogic\DriverCure\7ZipDLL.dll
c:\program files (x86)\ParetoLogic\DriverCure\DriverCure.exe
c:\program files (x86)\ParetoLogic\DriverCure\DriverCureHelp.chm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\0_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\1_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\15_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\2_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\30_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\5_days.htm
c:\program files (x86)\ParetoLogic\DriverCure\HTML\blue_duo.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\container_content_bkimg.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\container_content_leftimg.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\container_content_rightimg.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\green_duo.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\10x10.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\10x10tile.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\contentwrapper.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\footerbarfill.gif
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\info_bubble.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\Thumbs.db
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\tile_footerbarbase.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\tile_titlebarbase.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\tile_titlebarend.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\images\tile_titlebarfloat.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\main.css
c:\program files (x86)\ParetoLogic\DriverCure\HTML\orange_duo.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\package_titlebar_bkimg.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\special_offer.jpg
c:\program files (x86)\ParetoLogic\DriverCure\HTML\tp.css
c:\program files (x86)\ParetoLogic\DriverCure\HTML\trialpay.htm
c:\program files (x86)\ParetoLogic\DriverCure\Images\althomepage.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0001.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0002.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0003.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0004.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0005.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0006.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0007.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0008.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0009.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0010.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0011.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0012.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0013.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0014.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0015.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0016.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0017.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0018.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\animation\anim0019.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\banner_stretch.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\bg.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_close1.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_close2.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_max1.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_max2.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_min1.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\blue_min2.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\data_logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\homepage_logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\nav_active.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\blue\nav_normal.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\bullet_list.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\cd.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\check.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\ClearButton.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\ClearButtonDown.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\ClearButtonOver.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\close-b.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\close.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Collapse Down.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Collapse Up.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\cpu.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\data_logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\delete.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\disk.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\display.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\drivernoupdate.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\driverupdate.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\email_logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\floppy.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\homepage.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\homepage_logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image1.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image2.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image3.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image4.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image5.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image6.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image7.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\image8.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\info.jpg
c:\program files (x86)\ParetoLogic\DriverCure\Images\info.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Logo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\max-b.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\max-g.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\max.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\min-b.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\min-g.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\min.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\mouse_key.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\nav-about.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Nav-history.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Nav-Ignore.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\nav-scan.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Nav-Schedule.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\next.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\nextover.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\other.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\outdated.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\power.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\poweredby.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\printer.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\register.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\register_over.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Registration_small.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\Save.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\save_over.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\scan_check.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\scan_list.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\software.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\softwarenoupdate.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\softwareupdate.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\StartScanButton.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\StartScanButtonDown.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\StartScanButtonMouseOver.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\system.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\toplogo.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\uptodate.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\usb.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\warning.png
c:\program files (x86)\ParetoLogic\DriverCure\Images\warning_big.jpg
c:\program files (x86)\ParetoLogic\DriverCure\Images\warning_big.png
c:\program files (x86)\ParetoLogic\DriverCure\Install Driver Win32.exe
c:\program files (x86)\ParetoLogic\DriverCure\Install Driver Win64.exe
c:\program files (x86)\ParetoLogic\DriverCure\PLCommonDlg.dll
c:\program files (x86)\ParetoLogic\DriverCure\settings.xml
c:\program files (x86)\ParetoLogic\DriverCure\uninstall.exe
c:\program files (x86)\ParetoLogic\DriverCure\UNS.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-04 02:43 . 2012-09-04 02:43 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\offreg.dll
2012-09-04 02:40 . 2012-09-04 02:45 -------- d-----w- c:\users\owner\AppData\Local\temp
2012-09-04 02:40 . 2012-09-04 02:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-03 01:26 . 2012-09-03 01:27 -------- d-----w- C:\FRST
2012-08-31 02:07 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39F7EC04-8DB0-46E2-9C88-DAB725552356}\gapaengine.dll
2012-08-31 02:07 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\mpengine.dll
2012-08-31 01:59 . 2012-08-31 01:59 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-31 01:59 . 2012-08-31 02:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-31 01:57 . 2012-08-31 01:57 -------- d-----w- C:\8fa2faf48c4854a9c63f93c24415f13d
2012-08-31 01:51 . 2012-08-31 01:51 -------- d-----w- c:\program files\Microsoft ATS
2012-08-31 01:19 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-31 01:19 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-31 01:19 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-31 01:19 . 2012-08-21 09:13 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-31 01:19 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-31 01:19 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-31 01:19 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-31 01:18 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-31 01:18 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\programdata\AVAST Software
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\program files\AVAST Software
2012-08-19 04:16 . 2012-08-19 04:16 -------- d-----w- c:\program files\CCleaner
2012-08-19 01:43 . 2012-08-19 01:43 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\programdata\Malwarebytes
2012-08-19 01:42 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-18 23:28 . 2012-08-19 01:37 -------- d-----w- c:\users\owner\AppData\Local\ElevatedDiagnostics
2012-08-18 23:24 . 2012-08-18 23:24 -------- d-----w- C:\inetpub
2012-08-18 21:55 . 2012-08-18 21:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-14 01:39 . 2012-08-14 01:39 -------- d-----w- C:\BigFishGamesCache
2012-08-08 15:48 . 2012-08-08 15:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 13:28 . 2012-07-18 01:18 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-24 13:28 . 2011-06-28 09:24 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-18 21:55 . 2011-06-10 14:08 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 07:19 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-29 10:04 . 2012-08-08 15:34 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8F6CC751-943B-4661-A859-8511462A3AF4}\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-03_20.56.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2012-09-04 02:47 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-04 02:47 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-09-04 02:45 91542 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-09-04 02:45 51584 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-09-26 18:33 . 2012-09-04 00:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-26 18:33 . 2012-08-14 08:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 18:33 . 2012-09-04 00:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-26 18:33 . 2012-08-14 08:50 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-26 18:33 . 2012-08-14 08:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-26 18:33 . 2012-09-04 00:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-27 14:43 . 2012-09-04 01:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-27 14:43 . 2012-09-03 20:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-27 14:43 . 2012-09-03 20:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-27 14:43 . 2012-09-04 01:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-03 02:07 . 2012-09-02 17:35 4070 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2008-10-03 02:07 . 2012-09-03 23:25 4070 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2008-09-25 13:25 . 2012-09-04 02:45 9088 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1853611587-1203266746-1053686521-1000_UserData.bin
- 2012-09-03 20:54 . 2012-09-03 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-04 02:42 . 2012-09-04 02:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-03 20:54 . 2012-09-03 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-04 02:42 . 2012-09-04 02:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-09-26 02:11 . 2012-09-03 20:59 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-26 02:11 . 2012-09-04 02:47 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-01-21 03:20 . 2012-09-04 02:47 311296 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 311296 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 02:11 . 2012-09-04 01:54 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-09-26 02:11 . 2012-09-03 20:55 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-02-04 18:33 . 2012-09-04 01:54 868352 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-02-04 18:33 . 2012-09-03 20:55 868352 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-23 19:47 . 2012-09-03 20:55 3866624 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 19:47 . 2012-09-04 01:54 3866624 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-23 19:47 . 2012-09-03 20:55 6258688 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-23 19:47 . 2012-09-04 01:54 6258688 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}]
c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{A531D99C-5A22-449b-83DA-872725C6D0ED}"= "c:\program files (x86)\alotappbar\bin\ALOTHelper.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{a531d99c-5a22-449b-83da-872725c6d0ed}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2008-8-23 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-28 11:14]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-09-03 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2006-11-02 09:45]
.
2010-01-16 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-09-04 c:\windows\Tasks\User_Feed_Synchronization-{A3AF18B4-18F0-4A5D-8809-5BA977432849}.job
- c:\windows\system32\msfeedssync.exe [2011-07-14 04:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9df9b682-9c18-4a01-bac3-a265ca7cd866}"= "mscoree.dll" [2009-11-08 444752]
.
[HKEY_CLASSES_ROOT\CLSID\{9df9b682-9c18-4a01-bac3-a265ca7cd866}]
[HKEY_CLASSES_ROOT\EGToolbar.EGToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
Wow6432Node-HKLM-Run-ApnUpdater - c:\program files (x86)\Ask.com\Updater\Updater.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-{1E0D8F69-A6AB-4934-9B2D-159D9F97BA4A} - c:\program files (x86)\ParetoLogic\DriverCure\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-09-03 22:54:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-04 02:54
ComboFix2.txt 2012-09-03 21:03
.
Pre-Run: 387,433,209,856 bytes free
Post-Run: 387,462,066,176 bytes free
.
- - End Of File - - 3DEAD98F97410AC20FA5835C6298DA20

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 03 September 2012 - 11:14 PM

rerun combofix again and see if it reconnects


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 04 September 2012 - 07:03 PM

hello Gringo
re ran combo fix still unable to reconnect to internet.

not sure if you wanted the report but here it is



ComboFix 12-09-03.07 - owner 09/04/2012 6:50.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4084.2855 [GMT -4:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
Command switches used :: c:\users\owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Tasks\DriverCure.job"
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-04 10:58 . 2012-09-04 10:58 -------- d-----w- c:\users\owner\AppData\Local\temp
2012-09-04 10:58 . 2012-09-04 10:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-04 10:34 . 2012-09-04 10:34 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\offreg.dll
2012-09-03 01:26 . 2012-09-03 01:27 -------- d-----w- C:\FRST
2012-08-31 02:07 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39F7EC04-8DB0-46E2-9C88-DAB725552356}\gapaengine.dll
2012-08-31 02:07 . 2012-08-28 05:49 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7E7C4E66-6E5F-4DE6-87BB-3DB7287B1468}\mpengine.dll
2012-08-31 01:59 . 2012-08-31 01:59 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-31 01:59 . 2012-08-31 02:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-31 01:57 . 2012-08-31 01:57 -------- d-----w- C:\8fa2faf48c4854a9c63f93c24415f13d
2012-08-31 01:51 . 2012-08-31 01:51 -------- d-----w- c:\program files\Microsoft ATS
2012-08-31 01:19 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-31 01:19 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-31 01:19 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-31 01:19 . 2012-08-21 09:13 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-31 01:19 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-31 01:19 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-31 01:19 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-31 01:18 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-31 01:18 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\programdata\AVAST Software
2012-08-31 01:17 . 2012-08-31 01:17 -------- d-----w- c:\program files\AVAST Software
2012-08-19 04:16 . 2012-08-19 04:16 -------- d-----w- c:\program files\CCleaner
2012-08-19 01:43 . 2012-08-19 01:43 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-19 01:42 . 2012-08-19 01:42 -------- d-----w- c:\programdata\Malwarebytes
2012-08-19 01:42 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-18 23:28 . 2012-08-19 01:37 -------- d-----w- c:\users\owner\AppData\Local\ElevatedDiagnostics
2012-08-18 23:24 . 2012-08-18 23:24 -------- d-----w- C:\inetpub
2012-08-18 21:55 . 2012-08-18 21:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-14 01:39 . 2012-08-14 01:39 -------- d-----w- C:\BigFishGamesCache
2012-08-08 15:48 . 2012-08-08 15:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 15:34 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8F6CC751-943B-4661-A859-8511462A3AF4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 13:28 . 2012-07-18 01:18 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-24 13:28 . 2011-06-28 09:24 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-18 21:55 . 2011-06-10 14:08 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 07:19 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-03_20.56.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2012-09-04 10:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-09-04 10:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-09-04 10:36 91780 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-09-04 10:36 51680 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-09-26 18:33 . 2012-08-14 08:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 18:33 . 2012-09-04 00:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 18:33 . 2012-09-04 00:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-26 18:33 . 2012-08-14 08:50 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-26 18:33 . 2012-09-04 00:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-26 18:33 . 2012-08-14 08:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-27 14:43 . 2012-09-04 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-27 14:43 . 2012-09-03 20:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-27 14:43 . 2012-09-04 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-27 14:43 . 2012-09-03 20:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-03 02:07 . 2012-09-02 17:35 4070 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2008-10-03 02:07 . 2012-09-03 23:25 4070 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2008-09-25 13:25 . 2012-09-04 10:36 9282 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1853611587-1203266746-1053686521-1000_UserData.bin
- 2012-09-03 20:54 . 2012-09-03 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-04 10:33 . 2012-09-04 10:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-03 20:54 . 2012-09-03 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-04 10:33 . 2012-09-04 10:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-09-26 02:11 . 2012-09-03 20:59 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-26 02:11 . 2012-09-04 10:36 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-01-21 03:20 . 2012-09-04 10:36 311296 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-09-03 20:59 311296 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 12:46 . 2012-09-04 03:47 693696 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-09-03 20:00 693696 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-09-04 03:47 136062 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-09-03 20:00 136062 c:\windows\system32\perfc009.dat
- 2009-09-26 02:11 . 2012-09-03 20:55 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-09-26 02:11 . 2012-09-04 01:54 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2008-02-04 18:33 . 2012-09-03 20:55 868352 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-02-04 18:33 . 2012-09-04 01:54 868352 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-23 19:47 . 2012-09-03 20:55 3866624 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 19:47 . 2012-09-04 01:54 3866624 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 19:47 . 2012-09-04 01:54 6258688 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-23 19:47 . 2012-09-03 20:55 6258688 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{85F5CF95-EC8F-49fc-BB3F-38C79455CBA2}]
c:\program files (x86)\alotappbar\bin\BHO\ALOTHelperBHO.dll [BU]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
c:\program files (x86)\Ask.com\GenericAskToolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [BU]
"{A531D99C-5A22-449b-83DA-872725C6D0ED}"= "c:\program files (x86)\alotappbar\bin\ALOTHelper.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{a531d99c-5a22-449b-83da-872725c6d0ed}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2008-8-23 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-28 11:14]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-31 01:19]
.
2012-09-03 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2006-11-02 09:45]
.
2010-01-16 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2012-09-04 c:\windows\Tasks\User_Feed_Synchronization-{A3AF18B4-18F0-4A5D-8809-5BA977432849}.job
- c:\windows\system32\msfeedssync.exe [2011-07-14 04:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9df9b682-9c18-4a01-bac3-a265ca7cd866}"= "mscoree.dll" [2009-11-08 444752]
.
[HKEY_CLASSES_ROOT\CLSID\{9df9b682-9c18-4a01-bac3-a265ca7cd866}]
[HKEY_CLASSES_ROOT\EGToolbar.EGToolbar]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-09-04 07:00:20
ComboFix-quarantined-files.txt 2012-09-04 11:00
ComboFix2.txt 2012-09-04 02:54
ComboFix3.txt 2012-09-03 21:03
.
Pre-Run: 387,540,865,024 bytes free
Post-Run: 387,469,312,000 bytes free
.
- - End Of File - - 7E21B5D74C34A04A3379E27213536A7B

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:19 AM

Posted 04 September 2012 - 09:13 PM

Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Posted Image
Make sure "DNS" tab looks like this:
Posted Image
Make sure "WINS" tab looks like this:
Posted Image
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.

------------------------------------------------

If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

------------------------------------------

If that doesn't work, bypass router, and connect computer straight to the modem.

---------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.

-------------------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.


----------------------------------------
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mdrater2012

mdrater2012
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 05 September 2012 - 10:25 PM

hELLO GRINGO
NOT ABLE TO GET ONTO THE INTERNET
All settings are set as noted
-------------
reset modem And routers - no effect
---------------
connected direct to modem - no effect
------------
with still connected to modem
enterd CMD's as requested
--
CMD
c:\user\owner>...
ipconfig /flushdns
**** the requested Operation requieres elevation ****
ipconfig /registerdns
**** the requested Operation requieres elevation ****
ipconfig /release
**** the requested Operation requieres elevation ****
ipconfig /renew
**** an Error Accurred while renew in local area connection the support for the specified socket type does not exsist****
net stop "dns client"
**** System error 5 has occured Access denided ****
net start "dns client"
**** the requested Operation requieres elevation ****
- no effect

cmd
c:\user\owner>...
netsh int ip reset reset.log
**** Set Echco Request - FAild
**** the requested Operation requieres elevation ****

netsh winsock reset catalog
**** no user specification setting to be reset ****

This is wired to router not wirerless

all other machines are working properly through router




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users