Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 not genuine. FIXED that, still having issues.


  • This topic is locked This topic is locked
19 replies to this topic

#1 ThatguyT

ThatguyT

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 08 March 2013 - 05:59 PM

Hello all. First let me say My computer crashed over a year ago. I took it to a specialist I know, he actually installed a new motherboard for me & all. It is a Gateway Model, but basically rebuilt. The original version of winodws had XP, he installed a GENUINE version of Microsoct windows 7. 

 

I then somehow was infected by a virus around feb 25 or so of last month. It appeared in MBAM as Trojan.BHO  

I actually think the name of the BHO that gave me the trojan was VisualBee Toolbar, through google chrome.

 

Anyways, to make a long story short I tried to fix the issue myself. I uninstalled chrome. I ran MBAM, ADW cleaner, combofix, and a variety of other programs. I then made some progress. I still was having a black background, with This version of Windows is not Genuine at the bottom right build 7601. I had to pull some strings myself but I fixed that error. Now my computer is back to normal. I have my background again, the message is gone. I revalidated windows through microsoft's webpage and it was successful. 

 

I now though am still experiencing a couple issues. First, I remember seeing in Combofix previously a log with LOCKED registry keys. Some of them were suspicious to me, but I'm no expert. My computer runs smoothly now, but it seems to run with a lagging effect like I have too many programs going, except I have tons of free space on my drive and barely anything on this computer. I have a 298 GB HD, only using 22.1 gigs.

 

I also get popups sometimes in IE when using it, even though I like chrome or mozilla, that "Your movie player might be out of date! Please click here to update" with a Scockwave flash message. It looks authentic, but I know it's a bad link/pop up. I get a java one sometimes too. So, I am dealing with some sort of trojan BHO still.

 

I know the rules here state to not run any programs, BUT I already had done this prior to finding this website for help, so don't be too upset :-)

 

Any help would be appreciated! I will follow instructions to the T ;-)

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 09 March 2013 - 09:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
 
Please post the logs for my review. Let me know what problem persists.


#3 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 March 2013 - 01:04 PM

Thanks Nasdaq! So my cpu is very slow in normal mode, and every few seconds programs will say (Not Responding) at the top for a few seconds, and then unfreeze for a few, then do it again lol. 

 

So, my question is, is it okay to run these scans in Safe mode w/ networking? Its hard to really do much in normal mode being it is so laggy/freezy. Meanwhile, while I'm waiting for your reply I am going to try and keep booting into normal mode, it worked yesterday so I should be able to get it going!

 

Will post all logs ASAP! Thanks for your help.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 10 March 2013 - 01:31 PM

Yes try Safe mode with networking.

 

Post what ever log you can and will take it from there.



#5 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 March 2013 - 04:03 PM

OK, Ran in safemode with networking as the computer freezes up during regular startup. Once it loads up I cant do much. It also takes around 7 minutes to fully load up, thats terrible.

 

 

COMBOFIX LOG.

 

ComboFix 13-03-10.02 - Travis 03/10/2013  14:42:04.6.1 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1918.1241 [GMT -5:00]
Running from: c:\users\Travis\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-10 to 2013-03-10  )))))))))))))))))))))))))))))))
.
.
2013-03-10 19:49 . 2013-03-10 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-10 06:43 . 2013-03-10 06:43 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3AF713AC-44C3-475F-970C-9CF368CBD91D}\offreg.dll
2013-03-09 12:04 . 2013-03-09 12:04 -------- d-----w- c:\users\UpdatusUser
2013-03-09 12:04 . 2013-03-09 12:04 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2013-03-09 11:27 . 2013-01-04 06:11 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-03-09 11:27 . 2013-01-04 06:11 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-03-09 11:27 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-03-09 11:27 . 2013-01-13 19:24 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2013-03-09 11:26 . 2013-01-13 19:02 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-03-09 11:26 . 2013-01-13 18:32 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-03-09 11:24 . 2013-01-13 19:37 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-03-09 11:00 . 2013-03-09 11:00 -------- d-----w- c:\users\Travis\AppData\Local\VirtualStore
2013-03-08 20:44 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3AF713AC-44C3-475F-970C-9CF368CBD91D}\mpengine.dll
2013-03-07 20:06 . 2013-03-07 20:06 -------- d-----w- C:\avast! sandbox
2013-03-07 19:58 . 2013-03-07 20:03 -------- d-----w- c:\users\Travis\AppData\Local\Google
2013-03-07 19:06 . 2013-03-07 19:07 2048 ----a-w- c:\windows\SysWow64\winver.exe
2013-03-07 19:06 . 2013-03-07 19:07 833024 ----a-w- c:\windows\SysWow64\user32.dll
2013-03-07 19:06 . 2013-03-07 19:06 410624 ----a-w- c:\windows\SysWow64\systemcpl.dll
2013-03-07 19:06 . 2013-03-07 19:06 113543 ----a-w- c:\windows\SysWow64\slmgr.vbs
2013-03-07 18:20 . 2013-03-07 18:20 -------- d-----w- C:\components
2013-03-07 18:17 . 2013-03-07 18:17 -------- d-----w- c:\programdata\4shared Desktop
2013-03-06 21:28 . 2013-03-06 21:28 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2013-03-06 21:06 . 2013-03-06 21:06 -------- d-----w- c:\users\Travis\AppData\Roaming\GlarySoft
2013-03-06 21:05 . 2013-03-06 21:05 -------- d-----w- c:\program files (x86)\Glarysoft
2013-03-06 20:55 . 2003-02-03 02:06 153088 ----a-w- c:\windows\SysWow64\unrar3.dll
2013-03-06 20:55 . 2002-03-06 07:00 75264 ----a-w- c:\windows\SysWow64\unacev2.dll
2013-03-06 20:55 . 2013-03-06 21:04 -------- d-----w- c:\users\Travis\AppData\Roaming\Simply Super Software
2013-03-06 20:55 . 2013-03-06 20:55 -------- d-----w- c:\programdata\Simply Super Software
2013-03-06 20:25 . 2013-03-06 20:25 -------- d-----w- C:\found.000
2013-03-06 17:09 . 2013-03-06 17:09 -------- d-----w- c:\programdata\Office Genuine Advantage
2013-03-06 04:07 . 2013-03-06 11:06 -------- d-----w- c:\programdata\PCPitstop
2013-03-06 04:07 . 2013-03-06 10:36 -------- d-----w- c:\program files (x86)\PCPitstop
2013-03-06 02:07 . 2013-03-06 02:07 -------- d-----w- c:\users\Travis\AppData\Roaming\Malwarebytes
2013-03-06 02:06 . 2013-03-06 02:06 -------- d-----w- c:\programdata\Malwarebytes
2013-03-06 02:06 . 2013-03-06 02:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-06 02:06 . 2012-12-14 22:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-06 02:06 . 2013-03-06 02:06 -------- d-----w- c:\users\Travis\AppData\Local\Programs
2013-03-06 01:14 . 2013-03-06 01:14 -------- d-----w- c:\users\Travis\AppData\Roaming\SpeedyPC Software
2013-03-06 01:14 . 2013-03-06 01:14 -------- d-----w- c:\users\Travis\AppData\Roaming\DriverCure
2013-03-06 01:13 . 2013-03-06 01:13 -------- d-----w- c:\program files (x86)\Common Files\SpeedyPC Software
2013-03-06 01:12 . 2013-03-06 01:13 -------- d-----w- c:\programdata\SpeedyPC Software
2013-03-06 01:12 . 2013-03-06 01:12 -------- d-----w- c:\program files (x86)\SpeedyPC Software
2013-03-06 00:55 . 2013-03-06 00:55 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-06 00:53 . 2013-03-06 00:53 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-06 00:52 . 2013-03-06 00:52 -------- d-----w- c:\program files (x86)\Java
2013-03-06 00:15 . 2013-03-06 23:33 33400 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 00:15 . 2013-03-06 23:33 377920 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-06 00:15 . 2013-03-06 23:33 70992 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-06 00:15 . 2013-03-06 23:33 68920 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 00:15 . 2013-03-06 23:33 1025808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 00:14 . 2013-03-06 23:33 178624 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-06 00:14 . 2013-03-06 23:33 65336 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-06 00:14 . 2013-03-06 23:33 80816 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-06 00:12 . 2013-03-06 23:32 41664 ----a-w- c:\windows\avastSS.scr
2013-03-06 00:08 . 2013-03-06 00:08 -------- d-----w- c:\windows\SysWow64\Adobe
2013-02-13 09:03 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 09:03 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 09:00 . 2013-01-09 01:22 10925568 ----a-w- c:\windows\system32\ieframe.dll
2013-02-13 04:32 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 04:32 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 04:32 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 04:32 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-02-13 04:32 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-02-13 04:32 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-02-13 04:32 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-02-13 04:32 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-02-13 04:32 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-02-13 04:32 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 04:32 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 04:32 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-10 08:18 . 2013-02-10 08:18 -------- d-----w- c:\programdata\VisualBee
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-06 23:32 . 2012-01-27 15:18 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-06 10:38 . 2011-06-11 07:58 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
2013-03-06 10:38 . 2011-06-11 07:58 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2013-03-06 00:52 . 2012-07-19 22:45 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-06 00:52 . 2012-07-19 22:45 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-27 17:21 . 2012-04-20 07:58 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-27 17:21 . 2012-01-30 22:02 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-20 04:32 . 2009-07-13 21:59 18376008 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-02-20 04:32 . 2010-07-10 13:38 2752880 ----a-w- c:\windows\system32\nvapi64.dll
2013-02-13 09:12 . 2012-01-27 15:21 70004024 ----a-w- c:\windows\system32\MRT.exe
2013-01-31 09:25 . 2010-07-09 22:27 6207776 ----a-w- c:\windows\system32\nvcpl.dll
2013-01-31 09:25 . 2010-07-09 22:27 3300640 ----a-w- c:\windows\system32\nvsvc64.dll
2013-01-31 09:24 . 2010-07-09 22:27 878368 ----a-w- c:\windows\system32\nvvsvc.exe
2013-01-31 09:24 . 2010-07-10 00:27 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-01-31 09:24 . 2010-07-09 22:27 118560 ----a-w- c:\windows\system32\nvmctray.dll
2013-01-31 09:24 . 2009-07-08 19:01 2558240 ----a-w- c:\windows\system32\nvsvcr.dll
2013-01-17 07:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-13 04:32 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-12-16 17:11 . 2012-12-21 09:01 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 09:01 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:01 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 09:01 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\erdnt\cache64\user32.dll
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2010-11-21 . E573BD9AB55C8E333C202B9E255F972E . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2013-03-07 . 2C9CC9F492CA596B1B9FC1AE5E916356 . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\erdnt\cache86\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-03-17 2371584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Z1"="c:\users\Travis\Desktop\mbar\mbar.exe" [2013-02-16 1363016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [x]
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS64.sys [2009-06-18 14136]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-03-03 1301504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-27 1255736]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-07 20:02 1630672 ----a-w- c:\program files (x86)\Google\Chrome\Application\25.0.1364.152\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 17:21]
.
2013-02-20 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2013-02-06 12:44]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-07 19:54]
.
2013-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-03-07 19:54]
.
2013-03-09 c:\windows\Tasks\SpeedyPC Pro.job
- c:\program files (x86)\SpeedyPC Software\SpeedyPC\SpeedyPC.exe [2013-01-02 22:59]
.
2013-03-09 c:\windows\Tasks\SpeedyPC Registration3.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2013-03-10 c:\windows\Tasks\SpeedyPC Update Version3 Startup Task.job
- c:\program files (x86)\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2013-01-02 22:59]
.
2013-03-06 c:\windows\Tasks\SpeedyPC Update Version3.job
- c:\program files (x86)\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2013-01-02 22:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{8C6F032E-6B1B-4B4F-8EB6-80E3114824EF} - (no file)
Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-10  14:56:07
ComboFix-quarantined-files.txt  2013-03-10 19:56
ComboFix2.txt  2013-03-07 20:49
ComboFix3.txt  2013-03-06 23:02
ComboFix4.txt  2013-03-06 20:47
ComboFix5.txt  2013-03-10 19:39
.
Pre-Run: 294,301,016,064 bytes free
Post-Run: 294,248,476,672 bytes free
.
- - End Of File - - 9CE48CAF275E275CDC4AA23666C03686

 

 

 

SECURITY CHECH LOG:

 

 

 Results of screen317's Security Check version 0.99.60 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:`````````````
 Windows Security Center service is not running! This report may not be accurate! - (Im guessing due to being in safemode)
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100 
 JavaFX 2.1.1   
 Java 7 Update 17 
 Java version out of Date!
 Adobe Reader 10.1.6 Adobe Reader out of Date!
 Google Chrome 25.0.1364.152 
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

 

 

 

 

 

 

 

 

 

 

AdwCleaner Log:

 

 

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

-\\ Google Chrome v25.0.1364.152

File : C:\Users\Travis\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R10].txt - [1629 octets] - [08/03/2013 17:24:10]
AdwCleaner[R11].txt - [1690 octets] - [09/03/2013 06:02:50]
AdwCleaner[R12].txt - [1754 octets] - [10/03/2013 13:21:59]
AdwCleaner[R13].txt - [865 octets] - [10/03/2013 15:41:49]
AdwCleaner[R2].txt - [2015 octets] - [06/03/2013 04:27:13]
AdwCleaner[R3].txt - [913 octets] - [06/03/2013 04:40:25]
AdwCleaner[R4].txt - [1350 octets] - [06/03/2013 05:31:07]
AdwCleaner[R5].txt - [1237 octets] - [06/03/2013 15:12:50]
AdwCleaner[R6].txt - [1298 octets] - [06/03/2013 15:30:33]
AdwCleaner[R7].txt - [1225 octets] - [06/03/2013 17:05:05]
AdwCleaner[R8].txt - [1305 octets] - [06/03/2013 17:35:36]
AdwCleaner[R9].txt - [1936 octets] - [07/03/2013 14:27:28]
AdwCleaner[S2].txt - [2078 octets] - [06/03/2013 04:27:53]
AdwCleaner[S3].txt - [972 octets] - [06/03/2013 04:40:59]
AdwCleaner[S4].txt - [1389 octets] - [06/03/2013 05:34:28]
AdwCleaner[S5].txt - [342 octets] - [06/03/2013 15:14:04]
AdwCleaner[S6].txt - [323 octets] - [06/03/2013 17:37:16]
AdwCleaner[S7].txt - [2051 octets] - [07/03/2013 14:28:10]
AdwCleaner[S8].txt - [1814 octets] - [10/03/2013 13:22:27]

########## EOF - C:\AdwCleaner[R13].txt - [1821 octets] ##########

 

 

 

 

 

Also, last night MalwareBytes Quarantined two files, named Backdoor.0Access  It said the location of the threat was two folder's located here:

 

 

C:\Windows\Installer\{a84c3414-bf51-be49-040b-52d3aa3a94ac}\L

 

 

 

C:\Windows\Installer\{a84c3414-bf51-be49-040b-52d3aa3a94ac}\U

 


 

Attached Files


Edited by ThatguyT, 11 March 2013 - 07:29 AM.


#6 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 March 2013 - 04:56 PM

I'm a dummy didnt realize I could attach files. I have a Combofix Quarantined Files log also, check it out I'll attach it here!

 

 

Oh, and also these were the two original Virus names and files that caused my problem, and many more stemmed from these. MBAM detected these on 3/05/2013

 


Registry Keys Detected: 2
HKCR\AppID\{186E19A3-B909-4F48-B687-BB81EB8BC7CE} (Trojan.BHO) -> Quarantined and deleted successfully.
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{625F420E-A4A9-4B40-BC23-716C1C43893A} (Adware.Adurr) -> Quarantined and deleted successfully

 

 

Also on 3/08/2013 MBAM detcted The following as well.

 


Files Detected: 2
C:\Qoobox\Quarantine\C\Windows\Installer\{a84c3414-bf51-be49-040b-52d3aa3a94ac}\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

Attached Files


Edited by ThatguyT, 10 March 2013 - 05:22 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 11 March 2013 - 08:51 AM

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop. 
 
 
Quit all running programs.
 
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
 
Click Scan to scan the system. 
When the scan completes > Close out the program > Don't Fix anything!
 
Don't run any other options, they're not all bad!!!!!!!
 
Post back the report which should be located on your desktop.
====
 

  • Download to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
 
OTL_Main_Tutorial.gif
  • Select All Users.
  • Under the Custom Scan box paste this text in bold in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT
 
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post  both logs.
 


#8 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 March 2013 - 10:19 AM

Alright, Done.

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 11 March 2013 - 01:48 PM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)
 
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
 
Now click Delete on the right hand column under Options
 
Post back the report which should be located on your desktop.
===
 
Download "http://public.avast.com/~gmerek/aswMBR.exe" (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it 
 
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat.  Right click that file and select Send To>Compressed (zipped) folder.  Please attach that zipped file in your next reply.
 
Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===
 
Please download Farbar Service Scanner and run it on the computer with the issue.
[1] Make sure the following options are checked:
 
[2] Internet Services
[3] Windows Firewall
[4] System Restore
[5] Security Center/Action center
[6] Windows Update
[7] Windows Defender[b]
 
[*] Press "[b]Scan".
[*] It will create a log (FSS.txt) in the same directory the tool is run.
[*] Please copy and paste the log to your reply.


#10 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 March 2013 - 03:18 PM

The Rogue killer scan is taking forever this time, will be with you ASAP with all of the information.



#11 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 March 2013 - 07:12 PM

Alrighty here we go.

 

 

And the Farbar Service Scanner LOG Below:

 

 

Farbar Service Scanner Version: 03-03-2013
Ran by Travis (administrator) on 11-03-2013 at 19:08:54
Running from "C:\Users\Travis\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Network
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
 
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
 
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 12 March 2013 - 09:05 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)
 
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
 
Now click Delete on the right hand column under Options
 
Post back the report which should be located on your desktop.
===
 
I'm nor sure if this Script will improve the performance. Will remove the empty service keys.
 
Open notepad and copy/paste the text in the quote box below into it:
 
Driver::
szkg5
aswSnx
aswSP
aswFsBlk
aswRvrt
aswVmm
 
 
Save this as CFScript.txt on your desktop.
 
CFScriptB-4.gif
 
Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===
 
Please dowload this AVAST Uninstall Utility and run it.
 
===
If still no joy the run this sfc.exe
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
===
 
 
 


#13 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 12 March 2013 - 01:41 PM

Hello Nasdaq, good day to you!

 

I ran Roguekiller. I was able to find the key valued:

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

 

I deleted that one.

 

I was however UNABLE to find the key with this value:

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

 

1) Just a question, why did I uninstall Avast? I normally use this for my antivirus software. Something to do with getting rid of all infected files?

 

Also, my machine is now started in Normal mode and running faster than it has in a while, but it is still freezing up every so often for a few seconds at a time when navigating between browsers and programs. Hows my memory? I am thinking it is okay, as my computer has barely anything on it!

 

Next I will run Sfc.exe

 

Here are LOGS! :)

 

EDIT: I have used the system file checker before about a week ago, but am doing it again anyways per your request, as it can't hurt to do!

 

EDIT: Ran SFC and it said found damaged files, some could not be repaired. Then the computer had trouble starting up in normal AND safe mode after the restart, freezing during safe mode load up. I finally got it after an hour. I have a log of the SCX.exe scan, however it is too large to post as it's 820 KB. 

 

I cant copy & paste it either, too long, LOL.

 

 

 

Attached Files


Edited by ThatguyT, 12 March 2013 - 05:16 PM.


#14 ThatguyT

ThatguyT
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 12 March 2013 - 05:18 PM

So basically the problem still persists, any more ideas? Some sort of rootkit, or maybe damaged files. Not quite sure. I appreciate all of the help thus far though!



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:24 PM

Posted 13 March 2013 - 08:30 AM

1) Just a question, why did I uninstall Avast? I normally use this for my antivirus software. Something to do with getting rid of all infected files?
 
ComboFix is only showing Windows Defender. Not normal. 
 
===
 
Increase your virtual memory, it may help.
 
===
 
If that does not solve the temp freezing issue run this on-line scan.
 
I'd like us to scan your machine with ESET OnlineScan
  •  


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.


  • Click the esetOnline.png button.


  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    •  



  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.


  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

 

  • Check esetAcceptTerms.png


  • Click the esetStart.png button.


  • Accept any security warnings from your browser.


  • Check esetScanArchives.png


  • Push the Start button.


  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.


  • When the scan completes, push esetListThreats.png


  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


  • Push the esetBack.png button.


  • Push esetFinish.png






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users