Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus won't run in safe mode


  • Please log in to reply
5 replies to this topic

#1 Evolverman

Evolverman

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 08 September 2014 - 05:56 AM

Hi

 

I downloaded dodgy file last week. Afterwards my antivirus (Vodafone PC Protection) wouldn't run normally or in safe mode. Neither would AVG or malwarebytes. Before malwarebytes stopped its scan I glimpsed a message saying something like boot files hidden.

 

I decided to reinstall OS using drive partition.

 

Everything seemed fine until yesterday when I found a message saying the laptop had just recovered from a blue screen crash. Then this morning everything froze on startup. 

 

I can currently boot in safe mode but I can't run the antivirus.

 

I've just run Kaspersky TDSSKiller in safemode and when I included 'Loaded Modules' among objects to scan it reboots to normal, bypassing safe mode, then freezes at 75% installation of the Kaspersky utility. I can't copy and past the report. 

 

I guess my partition drive must have been infected as well. Any help would be greatly appreciated.

 

 

Evolver

Edited by hamluis, Today, 07:46 AM.
Moved from Win 7 to Am I Infected - Hamluis..

 

Moderator Edit: Moved from the AII forum to the Malware Logs forum Due to Combofix Log

Roger


Edited by rotor123, 08 September 2014 - 02:21 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Evolverman

Evolverman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 08 September 2014 - 01:47 PM

Have removed PUP.Optional.Conduit via MWB and a ton of trackers via Hitman Pro but the AV still won't open. 



#3 Evolverman

Evolverman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 08 September 2014 - 01:50 PM

Just ran McAfee Rootkit Remover. 

 

Received

"WARNING: Unable to load kernel-mode driver"

 

but also "No trojan or viruses found!"



#4 Evolverman

Evolverman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 08 September 2014 - 02:11 PM

I unstalled antivirus in order to run ComboFix.exe. The log it produced is attached. 

 

ComboFix 14-09-05.01 - Matthew 08/09/2014  20:00:39.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.353.1033.18.3894.2841 [GMT 1:00]
Running from: c:\users\Matthew\Downloads\ComboFix.exe
AV: Computer Security *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: Computer Security *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-08 to 2014-09-08  )))))))))))))))))))))))))))))))
.
.
2014-09-08 19:06 . 2014-09-08 19:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-08 18:43 . 2014-09-08 18:43 12872 ----a-w- c:\windows\system32\bootdelete.exe
2014-09-08 18:36 . 2014-09-08 18:36 -------- d-----w- c:\program files\HitmanPro
2014-09-08 18:36 . 2014-09-08 18:44 -------- d-----w- c:\programdata\HitmanPro
2014-09-08 18:14 . 2014-09-08 18:15 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-08 18:14 . 2014-05-12 06:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-08 18:14 . 2014-05-12 06:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-08 18:14 . 2014-05-12 06:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-08 18:14 . 2014-09-08 18:14 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-09-08 18:14 . 2014-09-08 18:14 -------- d-----w- c:\programdata\Malwarebytes
2014-09-08 11:45 . 2014-09-08 11:45 241248 ----a-w- c:\windows\system32\drivers\68608752.sys
2014-09-06 21:49 . 2014-09-06 21:49 -------- d-----w- c:\program files (x86)\VideoLAN
2014-09-02 20:51 . 2014-09-08 18:23 -------- d-----w- c:\program files (x86)\SamsungPrinterLiveUpdateInstaller
2014-09-02 20:51 . 2014-09-08 18:23 -------- d-----w- c:\programdata\Samsung
2014-09-02 09:51 . 2014-09-02 09:51 -------- d-----w- c:\programdata\Vodafone
2014-09-01 13:45 . 2014-09-01 13:45 -------- d-----w- c:\program files (x86)\MSECache
2014-09-01 11:57 . 2014-09-01 11:57 -------- d-----w- c:\program files (x86)\DS Development
2014-09-01 11:55 . 2014-09-01 11:57 -------- d-----w- c:\programdata\DS Development
2014-09-01 09:49 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe
2014-09-01 09:49 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\SysWow64\explorer.exe
2014-09-01 09:49 . 2013-11-23 18:26 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2014-09-01 09:49 . 2013-11-23 17:47 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2014-09-01 09:49 . 2013-12-24 23:09 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2014-09-01 09:49 . 2013-12-24 22:48 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-01 09:47 . 2014-07-25 13:11 51200 ----a-w- c:\windows\system32\jsproxy.dll
2014-09-01 09:44 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-09-01 09:44 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-09-01 09:44 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2014-09-01 09:44 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2014-09-01 09:21 . 2014-09-01 09:22 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2014-09-01 03:30 . 2013-05-10 05:56 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2014-09-01 03:30 . 2013-05-10 04:30 167424 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2014-09-01 03:30 . 2013-05-10 03:48 164864 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
2014-09-01 03:30 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL
2014-09-01 03:30 . 2013-05-10 05:56 14631424 ----a-w- c:\windows\system32\wmp.dll
2014-09-01 03:12 . 2014-09-01 03:12 -------- d-----w- c:\windows\Migration
2014-09-01 02:57 . 2013-10-14 17:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
2014-09-01 02:46 . 2014-09-01 02:46 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-09-01 00:25 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-01 00:25 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
2014-09-01 00:25 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
2014-09-01 00:25 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
2014-09-01 00:25 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
2014-09-01 00:25 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-09-01 00:25 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
2014-09-01 00:25 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-08-31 12:22 . 2013-10-30 02:32 335360 ----a-w- c:\windows\system32\msieftp.dll
2014-08-31 12:22 . 2013-10-30 02:19 301568 ----a-w- c:\windows\SysWow64\msieftp.dll
2014-08-31 12:22 . 2014-01-28 02:32 228864 ----a-w- c:\windows\system32\wwansvc.dll
2014-08-31 12:22 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2014-08-31 12:21 . 2013-07-04 12:50 633856 ----a-w- c:\windows\system32\comctl32.dll
2014-08-31 12:21 . 2013-07-04 11:50 530432 ----a-w- c:\windows\SysWow64\comctl32.dll
2014-08-31 12:21 . 2014-04-25 02:34 801280 ----a-w- c:\windows\system32\usp10.dll
2014-08-31 12:21 . 2014-04-25 02:06 626688 ----a-w- c:\windows\SysWow64\usp10.dll
2014-08-31 12:20 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll
2014-08-31 12:20 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2014-08-31 12:20 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2014-08-31 12:20 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2014-08-31 12:20 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2014-08-31 12:20 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2014-08-31 12:19 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2014-08-31 12:19 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2014-08-31 12:17 . 2014-06-03 10:02 1354240 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-08-31 12:17 . 2014-06-03 09:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-08-31 12:16 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll
2014-08-31 12:16 . 2013-10-05 19:57 1168384 ----a-w- c:\windows\SysWow64\crypt32.dll
2014-08-31 12:16 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2014-08-31 12:16 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2014-08-31 12:16 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2014-08-31 12:16 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2014-08-31 12:12 . 2014-01-29 02:32 484864 ----a-w- c:\windows\system32\wer.dll
2014-08-31 12:12 . 2014-01-29 02:06 381440 ----a-w- c:\windows\SysWow64\wer.dll
2014-08-31 12:12 . 2014-04-05 02:47 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-08-31 12:12 . 2014-04-05 02:47 288192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2014-08-31 12:12 . 2013-11-26 11:40 376768 ----a-w- c:\windows\system32\drivers\netio.sys
2014-08-31 12:11 . 2014-03-26 14:44 1882112 ----a-w- c:\windows\system32\msxml3.dll
2014-08-31 12:11 . 2014-03-26 14:44 2002432 ----a-w- c:\windows\system32\msxml6.dll
2014-08-31 12:11 . 2014-03-26 14:27 1389056 ----a-w- c:\windows\SysWow64\msxml6.dll
2014-08-31 12:11 . 2014-03-26 14:27 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-08-31 12:11 . 2014-03-26 14:25 2048 ----a-w- c:\windows\SysWow64\msxml6r.dll
2014-08-31 12:11 . 2014-03-26 14:41 2048 ----a-w- c:\windows\system32\msxml6r.dll
2014-08-31 12:11 . 2014-03-26 14:41 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-08-31 12:11 . 2014-03-26 14:25 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-08-31 12:09 . 2013-10-04 02:16 116736 ----a-w- c:\windows\system32\drivers\drmk.sys
2014-08-31 12:09 . 2013-10-04 01:36 230400 ----a-w- c:\windows\system32\drivers\portcls.sys
2014-08-31 12:09 . 2014-06-18 02:19 449024 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tabskb.dll
2014-08-31 12:09 . 2014-06-18 02:18 692736 ----a-w- c:\windows\system32\osk.exe
2014-08-31 12:09 . 2014-06-18 01:51 646144 ----a-w- c:\windows\SysWow64\osk.exe
2014-08-31 12:08 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2014-08-31 12:08 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2014-08-31 12:08 . 2013-05-27 05:50 571904 ----a-w- c:\program files\Windows Defender\MpClient.dll
2014-08-31 12:08 . 2013-05-27 05:50 314880 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2014-08-31 12:08 . 2013-05-27 04:57 392704 ----a-w- c:\program files (x86)\Windows Defender\MpClient.dll
2014-08-31 12:08 . 2013-05-27 04:57 54784 ----a-w- c:\program files (x86)\Windows Defender\MpOAV.dll
2014-08-31 12:08 . 2013-05-27 03:15 9216 ----a-w- c:\program files (x86)\Windows Defender\MpAsDesc.dll
2014-08-31 12:08 . 2013-05-27 04:57 4608 ----a-w- c:\program files (x86)\Windows Defender\MsMpLics.dll
2014-08-31 12:06 . 2013-03-31 22:52 1887232 ----a-w- c:\windows\system32\d3d11.dll
2014-08-31 12:06 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
2014-08-31 12:06 . 2013-06-25 22:55 785624 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2014-08-31 12:05 . 2013-07-12 10:41 185344 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2014-08-31 12:05 . 2013-07-12 10:41 100864 ----a-w- c:\windows\system32\drivers\usbcir.sys
2014-08-31 12:05 . 2013-11-27 01:41 53248 ----a-w- c:\windows\system32\drivers\usbehci.sys
2014-08-31 12:05 . 2013-11-27 01:41 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-08-31 12:05 . 2013-11-27 01:41 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2014-08-31 12:05 . 2013-11-27 01:41 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2014-08-31 12:05 . 2013-11-27 01:41 7808 ----a-w- c:\windows\system32\drivers\usbd.sys
2014-08-31 12:05 . 2013-11-27 01:41 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2014-08-31 12:05 . 2013-11-27 01:41 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2014-08-31 12:03 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2014-08-31 12:03 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2014-08-31 12:02 . 2013-07-25 09:25 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2014-08-31 12:02 . 2013-07-25 08:57 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2014-08-31 12:02 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-08-31 12:01 . 2012-10-03 17:44 216576 ----a-w- c:\windows\system32\ncsi.dll
2014-08-31 12:01 . 2012-10-03 17:44 246272 ----a-w- c:\windows\system32\netcorehc.dll
2014-08-31 12:01 . 2012-10-03 17:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2014-08-31 12:01 . 2012-10-03 16:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2014-08-31 12:01 . 2012-10-03 17:44 303104 ----a-w- c:\windows\system32\nlasvc.dll
2014-08-31 12:01 . 2012-10-03 16:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2014-08-31 12:01 . 2012-01-13 07:12 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2014-08-31 12:01 . 2012-10-03 16:07 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2014-08-31 12:01 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll
2014-08-31 12:01 . 2012-10-03 17:44 18944 ----a-w- c:\windows\system32\netevent.dll
2014-08-31 12:01 . 2012-10-03 16:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2014-08-31 12:00 . 2013-07-03 04:05 76800 ----a-w- c:\windows\system32\drivers\hidclass.sys
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-31 08:37 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-08-31 08:37 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"GoogleChromeAutoLaunch_1DCACA8C0EC1716DD73D162837173624"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2014-08-28 852808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-07-02 602680]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2010-06-02 61112]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" [2014-05-12 54072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R0 72441579;72441579;c:\windows\system32\drivers\56501189.sys;c:\windows\SYSNATIVE\drivers\56501189.sys [x]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe;c:\program files\Motorola\Bluetooth\obexsrv.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe;c:\windows\SYSNATIVE\ezSharedSvcHost.exe [x]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe [x]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R3 44049676;44049676;c:\windows\system32\drivers\68608752.sys;c:\windows\SYSNATIVE\drivers\68608752.sys [x]
R3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [x]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe;c:\program files\Motorola\Bluetooth\audiosrv.exe [x]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\Drivers\btmcom.sys;c:\windows\SYSNATIVE\Drivers\btmcom.sys [x]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys;c:\windows\SYSNATIVE\Drivers\btmusb.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MFE_RR;MFE_RR;c:\users\Matthew\AppData\Local\Temp\mfe_rr.sys;c:\users\Matthew\AppData\Local\Temp\mfe_rr.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
S4 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys;c:\windows\SYSNATIVE\Drivers\fsbts.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-08-29 16:42 1096520 ----a-w- c:\program files (x86)\Google\Chrome\Application\37.0.2062.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-08-29 16:38]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-08-29 16:38]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-06-10 24783624]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-03-13 6234144]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{bd707fe6-39f6-4bda-9265-86a76719bdc5} - c:\program files\Motorola\Bluetooth\btmiesend.htm
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
SafeBoot-44049676.sys
SafeBoot-53741668.sys
SafeBoot-72441579.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-NIS - c:\program files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\18.0.0.128\InstStub.exe
AddRemove-{FC17E0A7-EAA9-4902-92F8-C83B9FD02246} - c:\program files (x86)\InstallShield Installation Information\{FC17E0A7-EAA9-4902-92F8-C83B9FD02246}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-08  20:08:15
ComboFix-quarantined-files.txt  2014-09-08 19:08
.
Pre-Run: 374,829,989,888 bytes free
Post-Run: 375,183,646,720 bytes free
.
- - End Of File - - 023AFBDAE1E79AB0F6B7724BE8F530DB


#5 Evolverman

Evolverman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 08 September 2014 - 02:15 PM

And as before the Windows Security Center Service cannot be switched on. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:03 PM

Posted 12 September 2014 - 09:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users