Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware or bot who knows every fes months, combofix restores PC


  • This topic is locked This topic is locked
5 replies to this topic

#1 sdowney717

sdowney717

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 11 January 2017 - 10:23 AM

I just run combofix and again in quarantine it says userinit.exe.vir 

combofix found init.exe.vir again which it did a few months prior

 

Can someone review these and tell me something?

here are logs

 
 
malwarebytes  found 15 pups
 
2016-11-24 12:15:37 . 2017-01-11 14:38:39              232 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat
2015-02-26 03:32:58 . 2015-02-26 03:32:58                0 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2015-02-26 03:31:52 . 2015-02-26 03:31:52              377 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47}.reg.dat
2015-02-26 03:27:24 . 2017-01-11 14:01:02            3,821 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2015-02-26 03:20:46 . 2017-01-11 12:40:39              204 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-11-21 03:23:55 . 2010-11-21 03:23:55           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\userinit.exe.vir
 
 
ComboFix 17-01-04.01 - lr 01/11/2017   7:44.4.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8184.3155 [GMT -5:00]
Running from: c:\users\lr\Downloads\ComboFix.exe
AV: Avira Antivirus *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Antivirus *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2016-12-11 to 2017-01-11  )))))))))))))))))))))))))))))))
.
.
2017-01-11 14:12 . 2017-01-11 14:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2017-01-11 14:12 . 2017-01-11 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-12-15 19:18 . 2017-01-10 17:02 -------- d-----w- c:\users\Public\Speedup Sessions
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-01-11 11:36 . 2015-02-26 03:36 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-01-10 10:19 . 2013-12-31 18:38 802904 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2017-01-10 10:19 . 2013-12-31 18:38 144472 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-12-13 15:21 . 2016-10-06 12:40 35864 ----a-w- c:\windows\system32\drivers\avusbflt.sys
2016-12-13 15:21 . 2016-08-14 19:07 176464 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2016-12-13 15:21 . 2016-08-14 19:07 148032 ----a-w- c:\windows\system32\drivers\avipbb.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2016-11-15 27219928]
"GoogleChromeAutoLaunch_6D68B2A0DEAB486F8A6016D1605B06C2"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2016-12-08 935768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2012-09-13 204136]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"Avira SystrayStartTrigger"="c:\program files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe" [2016-11-15 60136]
"avgnt"="c:\program files (x86)\Avira\Antivirus\avgnt.exe" [2016-12-13 917576]
"Avira System Speedup User Starter"="c:\program files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe" [2016-12-13 26832]
"Avira System Speedup Tray"="c:\program files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.Systray.exe" [2016-12-13 159568]
.
c:\users\lr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
zSpeedup.lnk - c:\program files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe -systemready [2016-12-15 26832]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodecPackUpdateChecker.lnk - c:\windows\SysWOW64\C2MP\UpdateChecker.exe [2013-8-29 48200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
R2 AntiVirMailService;Avira Mail Protection;c:\program files (x86)\Avira\Antivirus\avmailc7.exe;c:\program files (x86)\Avira\Antivirus\avmailc7.exe [x]
R2 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\Antivirus\avwebg7.exe;c:\program files (x86)\Avira\Antivirus\avwebg7.exe [x]
R2 AviraPhantomVPN;Avira Phantom VPN;c:\program files (x86)\Avira\VPN\Avira.VpnService.exe;c:\program files (x86)\Avira\VPN\Avira.VpnService.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;c:\windows\system32\drivers\AVer88xHD64.sys;c:\windows\SYSNATIVE\drivers\AVer88xHD64.sys [x]
R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys;c:\windows\SYSNATIVE\DRIVERS\lvbflt64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C615(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys;c:\windows\SYSNATIVE\DRIVERS\VX6000Xp.sys [x]
R3 w7Svc;webcam 7 Service;c:\program files (x86)\webcam 7\wService.exe;c:\program files (x86)\webcam 7\wService.exe [x]
S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys;c:\windows\SYSNATIVE\DRIVERS\ahcix64s.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\Antivirus\sched.exe;c:\program files (x86)\Avira\Antivirus\sched.exe [x]
S2 Avira.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\Launcher\Avira.ServiceHost.exe;c:\program files (x86)\Avira\Launcher\Avira.ServiceHost.exe [x]
S2 avnetflt;avnetflt;c:\windows\system32\DRIVERS\avnetflt.sys;c:\windows\SYSNATIVE\DRIVERS\avnetflt.sys [x]
S2 chromoting;Chrome Remote Desktop Service;c:\program files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe;c:\program files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe [x]
S2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe;c:\program files\Realtek\Audio\HDA\RtkAudioService64.exe [x]
S2 SpeedupService;Avira System Speedup;c:\program files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe;c:\program files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 WMCRecordingStoragePooler;Windows Media Center Recording Storage Pooler;c:\program files (x86)\WMC Recording Storage Pooler\WMCRecordingStoragePooler.exe;c:\program files (x86)\WMC Recording Storage Pooler\WMCRecordingStoragePooler.exe [x]
S3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\DRIVERS\AVerBas.sys;c:\windows\SYSNATIVE\DRIVERS\AVerBas.sys [x]
S3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\DRIVERS\AVerCap.sys;c:\windows\SYSNATIVE\DRIVERS\AVerCap.sys [x]
S3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\DRIVERS\AVerTun.sys;c:\windows\SYSNATIVE\DRIVERS\AVerTun.sys [x]
S3 Bda8600;VBox TV Receiver, BDA Tuner Driver (DTF8600);c:\windows\system32\Drivers\Dtf8600b.sys;c:\windows\SYSNATIVE\Drivers\Dtf8600b.sys [x]
S3 BdaVb35xx;VBox Vb35xx BDA driver;c:\windows\system32\Drivers\Vb35xxB.sys;c:\windows\SYSNATIVE\Drivers\Vb35xxB.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys;c:\windows\SYSNATIVE\drivers\HCW85BDA.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-12-15 00:17 1384792 ----a-w- c:\program files (x86)\Google\Chrome\Application\55.0.2883.87\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2017-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-31 10:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VX6000"="c:\windows\vVX6000.exe" [2010-05-20 764784]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2015-01-16 2585744]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = [url=http://www.google.com]Google[/url]
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: {{d8f67242-b229-4065-95fa-391b077ed6ca} - {d8f67242-b229-4065-95fa-391b077ed6ca} - mscoree.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - c:\windows\System32\mscoree.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\w7Svc]
"ImagePath"="c:\program files (x86)\webcam 7\wService.exe /startedbyscm:5053B757-40E35B3B-webcam7SRV"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_24_0_0_194_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_24_0_0_194_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_24_0_0_194_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_24_0_0_194_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_194.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.24"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_194.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_194.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_194.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]   [MENTION=178537]deni[/MENTION]ed: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]   [MENTION=178537]deni[/MENTION]ed: (Full) (Everyone)
.
Completion time: 2017-01-11  09:41:01
ComboFix-quarantined-files.txt  2017-01-11 14:40
ComboFix2.txt  2016-11-24 12:16
ComboFix3.txt  2016-08-05 17:58
ComboFix4.txt  2015-02-26 03:32
.
Pre-Run: 71,795,605,504 bytes free
Post-Run: 72,515,137,536 bytes free
.
- - End Of File - - F3F4698560AC71AF821D8B33D3FCF7F5
 
 


BC AdBot (Login to Remove)

 


#2 sdowney717

sdowney717
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 12 January 2017 - 06:49 AM

good luck with that virus.

I was referred here from seven forums. 

I look for the zeros thread killer, just delete this ok.

 

I was told by seven forums that this was appropriate place to go.

 

What does that mean?

2015-02-26 03:27:24 . 2017-01-11 14:01:02            3,821 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2015-02-26 03:20:46 . 2017-01-11 12:40:39              204 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-11-21 03:23:55 . 2010-11-21 03:23:55           26,624 ----a-w-  C:\Qoobox\Quarantine\C\Windows\SysWOW64\userinit.exe.vir
 

Time to nuke windows, it is a poorly designed easily compromised os, natively wide open to hacking and can create much grief, using antimalware software is just temporarily holding off the attacking horde.

I get by although would love to switch this PC to linux, but I need WMC to view TV


Edited by sdowney717, 12 January 2017 - 06:55 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:17 AM

Posted 12 January 2017 - 10:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

What does that mean?
2015-02-26 03:27:24 . 2017-01-11 14:01:02 3,821 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2015-02-26 03:20:46 . 2017-01-11 12:40:39 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-11-21 03:23:55 . 2010-11-21 03:23:55 26,624 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\userinit.exe.vir


The file are in the Qoobox\Quarantine folder and can be deletd.
Flush them from Recycle bin after.

===

Any other issues with this computer?

#4 sdowney717

sdowney717
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 12 January 2017 - 12:39 PM

Print out what topic? You're not making any sense to me.

 

Other issues?, Yes, the computer always gets reinfected after running combofix, which is why I posted.

Who knows how long it takes, but yesterday the odd behavior came back  one time.

 

The behavior is it gets real slow, a message pops up on the desktop saying it is not genuine.

Then when I goto system, it says genuine with the certified label, and the desktop non genuine message goes away.

 

One it starts doing that, the only thing that stops it for a while is running combofix.

 

When it is being goofy, if I leave open the system page displaying the genuineness, then it seems to keep the odd behavior away, but NOT always.

In the recent past, it has become so unresponsive with the drive banging away, I simply have to pull the power plug from the wall since it refuses to respond to anything, then after reboot it is good for a while.

 

I have been dealing with this for many months. 


Edited by sdowney717, 12 January 2017 - 12:40 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:17 AM

Posted 12 January 2017 - 02:36 PM

These file in the Quarantine folder are just park there.

After a scan with ComboFix and a normal restart of the computer what problems are you having with this computer.

If you do have problem run this scanning tool.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post both logs.

Wait for further instructions

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:17 AM

Posted 18 January 2017 - 09:37 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users