Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help purging kwrd.dll malware (PUP.Bitminer) [Solved]

Started by emeraldire , Dec 23 2011 01:28 AM

  • This topic is locked This topic is locked

#16
emeraldire
Posted 04 January 2012 - 12:24 AM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
ComboFix log is below.
Please note that in the middle of running ComboFix using the scriptthat it asked me if I wanted to update it since updated version was available. I clicked 'Yes' (probably a mistake) and let it run. Once it completed updating, it ran again, rebooted, and posted its log file; however, I was forced to reboot a second time because I could not run OTL, in fact every file, application, program, service, etc. said the registry key was flagged for deletion and could not be opened. I thought it might have had something to do with the update, so I reran Combofix with the script drag exercise and it did more or less the same thing. Hopefully i did not botch this round of assessment with the update; if so, my apologies.

Combofix Log:
ComboFix 12-01-03.08 - Wood 01/03/2012 23:51:58.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1040.18.8184.6710 [GMT -6:00]
Running from: c:\users\Wood\Desktop\ComboFix.exe
Command switches used :: c:\users\Wood\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Wood\AppData\Local\6e42i75q6s6w248232dl442y68g6x06i07owh"
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 05:55 . 2012-01-04 05:55 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-04 05:55 . 2012-01-04 05:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 22:49 . 2012-01-02 22:49 -------- d-----w- c:\windows\system32\appmgmt
2012-01-02 09:18 . 2012-01-02 09:18 -------- d-----w- C:\_OTL
2011-12-23 06:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-23 06:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-23 06:38 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-23 06:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-23 06:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-23 06:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-23 06:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-17 09:55 . 2011-12-17 09:55 -------- d-----we c:\windows\system64
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 19:53 . 2011-11-18 19:53 37693341 ----a-w- C:\RehearsalDinner_2.zip
2011-11-16 00:06 . 2011-06-17 03:06 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-07 04:16 . 2011-11-15 22:48 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{655AA80F-46AC-4264-BEFD-21F5DCB6AC34}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Wood\AppData\Roaming\5C2DE ----
.
2011-11-17 08:19 . 2011-11-20 00:50 7473 ----a-w- c:\users\Wood\AppData\Roaming\5C2DE\E1E7.C2D
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_08.36.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 05:48 32576 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 05:48 31624 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 05:48 32576 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 05:48 31624 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-29 22:30 . 2012-01-04 05:48 8448 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2010-09-29 22:30 . 2012-01-04 05:48 8448 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2012-01-04 05:56 . 2012-01-04 05:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 05:56 . 2012-01-04 05:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 701408 c:\windows\system64\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system64\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 628308 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system64\perfh009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 128626 c:\windows\system64\perfc010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system64\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 107870 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system64\perfc009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 701408 c:\windows\system32\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system32\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-02 08:35 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-04 05:55 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-04 04:49 . 2012-01-04 05:55 3654596 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-8192.dat
+ 2011-05-11 08:17 . 2012-01-04 05:18 32084454 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Turbo Key"="c:\program files (x86)\ASUS\Turbo Key\TurboKey.exe" [2009-11-24 1874432]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Wood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-1-9 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 cpuz130;cpuz130;c:\users\Wood\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVIDIAHWAccess;NVIDIAHWAccess;c:\users\Wood\AppData\Roaming\NVIDIA\HWAccess.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub; [x]
S1 aswSP;aswSP; [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-11-06 122880]
S2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2010-03-12 136544]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-08-19 90112]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S3 AODDriver;AODDriver;c:\program files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2010-03-12 52280]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Citrix\ICA Client\ssonsvr.exe
c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
.
**************************************************************************
.
Completion time: 2012-01-04 00:03:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 06:03
ComboFix2.txt 2012-01-02 08:40
.
Pre-Run: 382,851,571,712 bytes free
Post-Run: 382,742,810,624 bytes free
.
- - End Of File - - 2196D6DE499C1A939BA105E7BEF18A03


OTL Log:
  • 0

Advertisements

#17
emeraldire
Posted 04 January 2012 - 04:27 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Sorry, I am replying from work, as I could not do it from home last night or this morning (my system startup is now corrupted). Regarding the OTL, I kicked it off with the custom script and it immediately pulled up a DOS screen for the Reg Edit and a notepad 'Regedit' file with the cursor blinking on the 1st line of the Reg Edit file. I waited for about 45 min but gave up and went to sleep. 4 hrs later around 4am CST this morning, I woke up and decided to check on the status of the OTL process and saw that nothing had changed... went back to sleep.

This morning before work, I clicked on the menu bar of OTL to bring it to the forefront and the OTL hr glass was still ticking for it with the menu bar showing '(Not Responding)'. At this point I figured something had hung up in the process or that I had cut-and-pasted incorrectly, so I force-closed OTL by using the 'X' close on the OTL menu bar. I started OTL again and a log file of some sort with date / time(?) stamp in the file name immediately popped up, which showed what appeared to be the logged, failed execution attempt from the prior night. I closed this and ran OTL again with the same Fix custom script. The same DOS screen and RegEdit notepad file with blinking cursor came up, as did the OTL application 'hour-glass'.

Frustrated, I closed the RegEdit notepad file (fatal mistake) and OTL immediately picked up where it left off and said 'Fix complete, please Reboot' or something similar. I clicked OK to reboot, but could never get through the Windows7 logo screen without a redirect occurring, with fuzzy Windows graphics taking me to a 'Safe Mode' looking screen. I struggled a bit with translating Italian OS jargon via my smart phone trying to determine what diagnostic options were being offered, but had to come to work to host an 8am meeting (only now finding time to complete the status of what happened on this site).

From what I gathered before I left for work, I may have the option of restoring to a previous restore point, restoring from Windows7 OS Disk, or contacting Microsoft / Microsoft Admin. I am guessing(?) that when I closed the registry file for the cryptographic services key that OTL had not done all the registryupdates against the keys it needed to do, and thus corrupted the keys in my startup. I have not yet tried starting up in Safe Mode, yet, which I believe is my next step. I am hoping that Combofix might have stored off an old copy of the registry keys that could be accessible in safe mode to apply, but honestly this is now beyond my comfort level of system assessment. Do you have recommendations or suggestions?

Thank you,
Emeraldire

Edited by emeraldire, 04 January 2012 - 04:32 PM.

  • 0

#18
michaelg9
Posted 04 January 2012 - 04:39 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
Strange things happen with your computer

notepad 'Regedit' file

I can't understand this. Normally only one notepad file should open after OTL finished its fix (which should last ~10 seconds). Do you remember what that notepad file was writing?

Can you take a screenshot (with your mobile if you can't with your computer) and post it here with the options you get at the diagnostic screen when you boot the computer?

Yes, ComboFix saved a copy of the registry, but see if you can boot into safe mode first and tell me :thumbsup:
  • 0

#19
emeraldire
Posted 04 January 2012 - 05:33 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Michael,
Thank you for the quick response. I will try to post a screenshot of the options when I get home (45 min) and will try getting to safe mode, as well.

As for the first notepad file, I think OTL posted it as a diagnostic log of the failed fix. It looked like a logical step sequence which stopped at doing something with the cryptographic registry key. I saved a copy to my desktop, just in case, and will post it if I can get to it in safe mode.

Regards,
Emeraldire

Edited by emeraldire, 04 January 2012 - 05:36 PM.

  • 0

#20
emeraldire
Posted 04 January 2012 - 06:30 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
IMAG0095.jpg
Attached is the screenshot, trying to get to safe mode now.
  • 0

#21
emeraldire
Posted 04 January 2012 - 06:37 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
This is the initial screen I get when redirected.
IMAG0096.jpg
  • 0

#22
emeraldire
Posted 04 January 2012 - 08:42 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
The DOS screen option in the first screenshot takes me to the following folder.
X:\windows\system32

I am unable to get to safe mode or system restore. At this point, my only option seems to be a reinstall of the OS, which I am not even sure is possible. Any suggestions?
  • 0

#23
michaelg9
Posted 05 January 2012 - 03:07 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
When you are at that screen, select the first option, which in English means Startup Repair. After it has finished its job, restart and see if the computer can boot.

Next:

Turn of the computer.
Turn it on and begin pressing the F8 button continuously. You will see this screen:
Posted Image
Select Last Known Good Configuration (advanced).
See if that allows the computer to boot.

Next:

Then, your computer still doesn't boot, allow it to go to the screen with the recovery options and select the second option.
Select a restore point before the date that your computer fails to start.
Perform the restore, and see if you can boot
  • 0

#24
emeraldire
Posted 05 January 2012 - 07:44 AM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Unfortunately, this did not work. The following screen results for all restore attempts. The last option I did not even get the chance to select a restore point before I am redirected to this screen. Is an OS reinstall from DVD my best option?

IMAG0098.jpg
  • 0

#25
emeraldire
Posted 05 January 2012 - 07:49 AM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Also, if I click the link at the bottom of that resulting screen it returns me to the first screenshot I posted last night. Clicking the dropdown arrow will match the second screenshot that I posted yesterday evening.
  • 0

Advertisements

#26
michaelg9
Posted 05 January 2012 - 09:33 AM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A


  • Download OTLPENet.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)

  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.


Next:

While in OTLPE, find the following text file and post it here: D:\Windows\System32\LogFiles\Srt\SrtTrail.txt, where D: is the letter of your windows drive.

Next:

  • Open up your windows drive.
  • There will be a folder named _OTL. Open it.
  • There will be a folder named MovedFiles. Open it.
  • Inside there you will see some folders and some fix text files. In the text files' names, there will the date of the fix.
  • Post the two most recent files.
  • Note: If you are not sure which ones to post, zip them all and attach the zip file


If the previous logs don't show the problem, the next step I think will be to restore the combofix's registry copies
  • 0

#27
emeraldire
Posted 05 January 2012 - 10:35 AM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
As you know, I cannot get to safe mode, my desktop, or my c: drive, much less internet access (from my home pc); so, I assume that means I should burn the image file to CD from another computer. I do not have access to do this from work (workstation constraint), so I will need to do from a friend's house after work. Please respond if you recommend anything based on my comments.

As a side note, I need to get this working by Sat morning; given this, should I start preparing as well to restore from OS disks, as well?

Edited by emeraldire, 05 January 2012 - 11:00 AM.

  • 0

#28
emeraldire
Posted 05 January 2012 - 12:36 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I downloaded and booted from CD. Thank you!

1. Here is the OTL Log
OTL logfile created on: 1/5/2012 12:12:04 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 74.12 Mb Free Space | 74.12% Space Free | Partition Type: NTFS
Drive D: | 446.93 Gb Total Space | 355.96 Gb Free Space | 79.64% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand] -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV:64bit: - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand] -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV:64bit: - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto] -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/06/29 12:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- D:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/12/24 18:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/03 06:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto] -- D:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/08/03 03:31:42 | 000,379,496 | ---- | M] (NVIDIA Corporation) [Auto] -- D:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/12 05:40:54 | 000,136,544 | ---- | M] () [Auto] -- D:\Program Files (x86)\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2009/11/05 20:26:00 | 000,122,880 | ---- | M] (AMD) [Auto] -- D:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe -- (AMD_RAIDXpert)
SRV - [2009/08/19 06:56:38 | 000,090,112 | R--- | M] (ASUSTeK Computer Inc.) [Auto] -- D:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe -- (AsSysCtrlService)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- D:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/12/10 16:24:08 | 000,023,152 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- D:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/05/25 01:09:17 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 06:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/09/07 09:47:33 | 000,061,008 | ---- | M] (AVAST Software) [File_System | Auto] -- D:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2010/07/21 17:14:24 | 000,051,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV:64bit: - [2010/07/21 17:14:24 | 000,023,952 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\nuidfltr.sys -- (NuidFltr)
DRV:64bit: - [2010/07/21 16:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\point64.sys -- (Point64)
DRV:64bit: - [2010/07/14 13:51:56 | 000,087,600 | ---- | M] (Citrix Systems, Inc.) [Kernel | System] -- D:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2010/02/17 13:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- D:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 13:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- D:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2009/07/15 22:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand] -- D:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- D:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2010/03/12 05:40:48 | 000,052,280 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand] -- D:\Program Files (x86)\AMD\OverDrive\amd64\AODDriver.sys -- (AODDriver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





IE - HKU\Wood_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
IE - HKU\Wood_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Wood_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKU\Wood_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF:64bit: - HKLM\Software\MozillaPlugins\@Citrix.com/npagee64,version=9.1.104.5: D:\Program Files\Citrix\Secure Access Client\npagee64.dll (Citrix Systems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Citrix.com/npagee,version=9.1.104.5: D:\Program Files\Citrix\Secure Access Client\npagee.dll (Citrix Systems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@movenetworks.com/Quantum Media Player: D:\Users\Wood\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll (Move Networks)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVision: D:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@nvidia.com/3DVisionStreaming: D:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: D:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker


Hosts file not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKU\Wood_ON_D\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4:64bit: - HKLM..\Run: [IntelliPoint] D:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [itype] D:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ConnectionCenter] D:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Turbo Key] D:\Program Files (x86)\ASUS\Turbo Key\TurboKey.exe (ASUSTeK Computer Inc.)
O4 - HKU\UpdatusUser_ON_D..\Run: [Sidebar] D:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [OTL] D:\Users\Wood\Desktop\OTL.exe (OldTimer Tools)
O4 - HKU\UpdatusUser_ON_D..\RunOnce: [mctadmin] File not found
O4 - Startup: Error locating startup folders.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\Wood_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Wood_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.5.7.cab (DLM Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.76.76 75.75.75.75
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/04 01:01:04 | 000,000,000 | -HSD | C] -- D:\$RECYCLE.BIN
[2012/01/02 22:12:24 | 000,000,000 | ---D | C] -- D:\Users\Wood\Desktop\aswMBR Stuff
[2012/01/02 22:11:47 | 000,000,000 | ---D | C] -- D:\Users\Wood\Desktop\Combofix Stuff
[2012/01/02 22:11:22 | 000,000,000 | ---D | C] -- D:\Users\Wood\Desktop\MBR Stuff
[2012/01/02 22:09:30 | 000,000,000 | ---D | C] -- D:\Users\Wood\Desktop\RK Stuff
[2012/01/02 22:09:00 | 000,000,000 | ---D | C] -- D:\Users\Wood\Desktop\OTL Stuff
[2012/01/02 04:18:05 | 000,000,000 | ---D | C] -- D:\_OTL
[2012/01/02 03:31:23 | 000,518,144 | ---- | C] (SteelWerX) -- D:\Windows\SWREG.exe
[2012/01/02 03:31:23 | 000,406,528 | ---- | C] (SteelWerX) -- D:\Windows\SWSC.exe
[2012/01/02 03:31:23 | 000,060,416 | ---- | C] (NirSoft) -- D:\Windows\NIRCMD.exe
[2012/01/02 03:31:18 | 000,000,000 | ---D | C] -- D:\Windows\ERDNT
[2012/01/02 03:26:55 | 000,000,000 | ---D | C] -- D:\Qoobox
[2012/01/02 03:15:02 | 004,368,790 | R--- | C] (Swearware) -- D:\Users\Wood\Desktop\ComboFix.exe
[2012/01/02 03:06:32 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- D:\Users\Wood\Desktop\tdsskiller.exe
[2011/12/31 21:37:18 | 004,702,720 | ---- | C] (AVAST Software) -- D:\Users\Wood\Desktop\aswMBR.exe
[2011/12/26 11:05:03 | 000,000,000 | ---D | C] -- D:\Windows\Minidump
[2011/12/23 04:01:12 | 000,096,256 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\mshtmled.dll
[2011/12/23 04:01:12 | 000,072,704 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\mshtmled.dll
[2011/12/23 04:01:11 | 000,248,320 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\ieui.dll
[2011/12/23 04:01:11 | 000,237,056 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\url.dll
[2011/12/23 04:01:11 | 000,231,936 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\url.dll
[2011/12/23 04:01:11 | 000,176,640 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\ieui.dll
[2011/12/23 04:01:10 | 002,309,120 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript9.dll
[2011/12/23 04:01:10 | 001,798,144 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript9.dll
[2011/12/23 04:01:10 | 001,493,504 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\inetcpl.cpl
[2011/12/23 04:01:10 | 001,427,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\inetcpl.cpl
[2011/12/23 04:01:10 | 000,818,688 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\jscript.dll
[2011/12/23 04:01:10 | 000,716,800 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\jscript.dll
[2011/12/23 02:12:31 | 000,584,192 | ---- | C] (OldTimer Tools) -- D:\Users\Wood\Desktop\OTL.exe
[2011/12/23 01:38:12 | 000,043,520 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\csrsrv.dll
[2011/12/23 01:38:12 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/23 01:38:07 | 000,023,152 | ---- | C] (Malwarebytes Corporation) -- D:\Windows\System32\drivers\mbam.sys
[2011/12/23 01:38:03 | 000,723,456 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\EncDec.dll
[2011/12/23 01:38:03 | 000,534,528 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\EncDec.dll

========== Files - Modified Within 30 Days ==========

[2012/01/05 01:37:47 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2012/01/04 07:50:03 | 000,003,924 | ---- | M] () -- D:\cryptsvc.reg
[2012/01/04 01:18:29 | 000,017,360 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/04 01:18:29 | 000,017,360 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/04 01:15:33 | 000,701,408 | ---- | M] () -- D:\Windows\System32\perfh010.dat
[2012/01/04 01:15:33 | 000,628,308 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2012/01/04 01:15:33 | 000,128,626 | ---- | M] () -- D:\Windows\System32\perfc010.dat
[2012/01/04 01:15:33 | 000,107,870 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2012/01/04 01:06:54 | 2140,995,583 | -HS- | M] () -- D:\hiberfil.sys
[2012/01/04 00:14:23 | 004,368,790 | R--- | M] (Swearware) -- D:\Users\Wood\Desktop\ComboFix.exe
[2012/01/02 18:03:29 | 000,181,342 | ---- | M] () -- D:\Users\Wood\Desktop\DiskMgmt.jpg
[2012/01/02 03:06:32 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- D:\Users\Wood\Desktop\tdsskiller.exe
[2012/01/01 21:49:50 | 000,000,797 | ---- | M] () -- D:\Users\Public\Desktop\World of Warcraft.lnk
[2011/12/31 21:58:17 | 000,000,560 | ---- | M] () -- D:\Users\Wood\Desktop\MBR.zip
[2011/12/31 21:37:19 | 004,702,720 | ---- | M] (AVAST Software) -- D:\Users\Wood\Desktop\aswMBR.exe
[2011/12/31 21:29:46 | 000,775,168 | ---- | M] () -- D:\Users\Wood\Desktop\RogueKiller.exe
[2011/12/31 19:24:52 | 000,002,441 | ---- | M] () -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/12/31 19:24:52 | 000,002,014 | ---- | M] () -- D:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/12/28 00:59:52 | 000,001,133 | ---- | M] () -- D:\Users\Wood\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2011/12/28 00:59:52 | 000,001,109 | ---- | M] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 00:59:52 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/23 04:20:52 | 000,415,544 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT
[2011/12/23 04:03:31 | 000,000,118 | ---- | M] () -- D:\Windows\System32\MRT.INI
[2011/12/23 02:12:31 | 000,584,192 | ---- | M] (OldTimer Tools) -- D:\Users\Wood\Desktop\OTL.exe
[2011/12/23 02:07:53 | 000,007,608 | ---- | M] () -- D:\Users\Wood\AppData\Local\Resmon.ResmonCfg
[2011/12/23 01:14:16 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2011/12/10 16:24:08 | 000,023,152 | ---- | M] (Malwarebytes Corporation) -- D:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/01/04 01:25:19 | 000,003,924 | ---- | C] () -- D:\cryptsvc.reg
[2012/01/02 18:03:29 | 000,181,342 | ---- | C] () -- D:\Users\Wood\Desktop\DiskMgmt.jpg
[2012/01/02 03:31:23 | 000,256,000 | ---- | C] () -- D:\Windows\PEV.exe
[2012/01/02 03:31:23 | 000,208,896 | ---- | C] () -- D:\Windows\MBR.exe
[2012/01/02 03:31:23 | 000,098,816 | ---- | C] () -- D:\Windows\sed.exe
[2012/01/02 03:31:23 | 000,080,412 | ---- | C] () -- D:\Windows\grep.exe
[2012/01/02 03:31:23 | 000,068,096 | ---- | C] () -- D:\Windows\zip.exe
[2011/12/31 21:58:17 | 000,000,560 | ---- | C] () -- D:\Users\Wood\Desktop\MBR.zip
[2011/12/31 21:29:46 | 000,775,168 | ---- | C] () -- D:\Users\Wood\Desktop\RogueKiller.exe
[2011/12/28 00:59:52 | 000,001,133 | ---- | C] () -- D:\Users\Wood\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2011/12/28 00:59:52 | 000,001,109 | ---- | C] () -- D:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/23 04:03:31 | 000,000,118 | ---- | C] () -- D:\Windows\System32\MRT.INI
[2011/08/03 03:31:54 | 000,311,912 | ---- | C] () -- D:\Windows\SysWow64\nvStreaming.exe
[2011/07/01 01:05:17 | 000,252,928 | ---- | C] () -- D:\Windows\SysWow64\DShowRdpFilter.dll
[2010/12/20 17:24:54 | 000,002,560 | ---- | C] () -- D:\Windows\_MSRSTRT.EXE
[2010/10/01 08:53:30 | 000,000,268 | ---- | C] () -- D:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/10/01 01:14:37 | 001,553,332 | ---- | C] () -- D:\Windows\SysWow64\PerfStringBackup.INI
[2010/09/30 22:36:29 | 000,007,608 | ---- | C] () -- D:\Users\Wood\AppData\Local\Resmon.ResmonCfg
[2010/09/30 10:39:16 | 000,024,576 | R--- | C] () -- D:\Windows\SysWow64\AsIO.dll
[2010/09/30 10:39:16 | 000,013,440 | R--- | C] () -- D:\Windows\SysWow64\drivers\AsIO.sys
[2010/09/30 10:39:13 | 000,011,832 | ---- | C] () -- D:\Windows\SysWow64\drivers\AsInsHelp64.sys
[2010/09/30 10:39:13 | 000,010,216 | ---- | C] () -- D:\Windows\SysWow64\drivers\AsInsHelp32.sys
[2010/09/30 10:33:09 | 000,001,769 | ---- | C] () -- D:\Windows\Language_trs.ini
[2010/09/30 10:33:02 | 000,028,523 | ---- | C] () -- D:\Windows\Ascd_tmp.ini
[2009/11/05 20:26:00 | 000,139,264 | ---- | C] () -- D:\Windows\SysWow64\WinMsgBalloonClient.exe
[2009/11/05 20:26:00 | 000,122,880 | ---- | C] () -- D:\Windows\SysWow64\WinMsgBalloonServer.exe
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- D:\Windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- D:\Windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- D:\Windows\SysWow64\ir32_32.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- D:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\SysWow64\mlang.dat
[2009/04/02 07:30:14 | 000,010,296 | ---- | C] () -- D:\Windows\SysWow64\drivers\ASUSHWIO.SYS

========== LOP Check ==========

[2010/10/01 02:18:01 | 000,000,000 | ---D | M] -- D:\ProgramData\!SASCORE
[2010/09/30 10:37:29 | 000,000,000 | ---D | M] -- D:\ProgramData\Alwil Software
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
[2010/09/30 10:39:21 | 000,000,000 | ---D | M] -- D:\ProgramData\ASUS OC Profiles
[2010/09/30 20:28:39 | 000,000,000 | ---D | M] -- D:\ProgramData\CheckPoint
[2011/01/09 17:21:33 | 000,000,000 | ---D | M] -- D:\ProgramData\Citrix
[2010/09/29 05:37:52 | 000,000,000 | -HSD | M] -- D:\ProgramData\Dati applicazioni
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
[2010/09/29 05:37:52 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documenti
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
[2010/09/30 12:12:28 | 000,000,000 | ---D | M] -- D:\ProgramData\Futuremark
[2010/09/29 05:37:52 | 000,000,000 | -HSD | M] -- D:\ProgramData\Menu Avvio
[2010/09/29 05:37:52 | 000,000,000 | -HSD | M] -- D:\ProgramData\Modelli
[2011/09/04 17:51:18 | 000,000,000 | ---D | M] -- D:\ProgramData\PopCap
[2010/09/29 05:37:52 | 000,000,000 | -HSD | M] -- D:\ProgramData\Preferiti
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
[2009/07/14 00:08:49 | 000,024,584 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >



2. SrtTrail.txt

Diagnosi e registro di ripristino per Ripristino all'avvio
---------------------------
Ora ultimo avvio riuscito: ‎04/‎01/‎2012 06:07:00 (GMT)
Numero di tentativi di ripristino: 14

Dettagli sessione
---------------------------
Disco di sistema = \Device\Harddisk0
Directory Windows = D:\Windows
Controllo automatico = 0
Numero di cause radice = 1

Test eseguito:
---------------------------
Nome: Controlla aggiornamenti
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Test disco di sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 15 ms

Test eseguito:
---------------------------
Nome: Diagnosi di errore disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Test metadati disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 32 ms

Test eseguito:
---------------------------
Nome: Test sistema operativo di destinazione
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 62 ms

Test eseguito:
---------------------------
Nome: Controllo contenuto volume
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 218 ms

Test eseguito:
---------------------------
Nome: Diagnosi Boot Manager
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro di avvio sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro eventi
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 94 ms

Test eseguito:
---------------------------
Nome: Controllo stato interno
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 31 ms

Causa radice rilevata:
---------------------------
Strumento di ripristino all'avvio: impossibile determinare la causa del problema nonostante numerosi tentativi.

---------------------------
---------------------------
Dettagli sessione
---------------------------
Disco di sistema = \Device\Harddisk0
Directory Windows = D:\Windows
Controllo automatico = 0
Numero di cause radice = 1

Test eseguito:
---------------------------
Nome: Controlla aggiornamenti
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 16 ms

Test eseguito:
---------------------------
Nome: Test disco di sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 15 ms

Test eseguito:
---------------------------
Nome: Diagnosi di errore disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Test metadati disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 16 ms

Test eseguito:
---------------------------
Nome: Test sistema operativo di destinazione
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 47 ms

Test eseguito:
---------------------------
Nome: Controllo contenuto volume
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 202 ms

Test eseguito:
---------------------------
Nome: Diagnosi Boot Manager
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro di avvio sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 16 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro eventi
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 78 ms

Test eseguito:
---------------------------
Nome: Controllo stato interno
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 31 ms

Causa radice rilevata:
---------------------------
Strumento di ripristino all'avvio: impossibile determinare la causa del problema nonostante numerosi tentativi.

---------------------------
---------------------------
Dettagli sessione
---------------------------
Disco di sistema = \Device\Harddisk0
Directory Windows = D:\Windows
Controllo automatico = 0
Numero di cause radice = 1

Test eseguito:
---------------------------
Nome: Controlla aggiornamenti
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Test disco di sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 15 ms

Test eseguito:
---------------------------
Nome: Diagnosi di errore disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Test metadati disco
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 16 ms

Test eseguito:
---------------------------
Nome: Test sistema operativo di destinazione
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 47 ms

Test eseguito:
---------------------------
Nome: Controllo contenuto volume
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 203 ms

Test eseguito:
---------------------------
Nome: Diagnosi Boot Manager
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro di avvio sistema
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 0 ms

Test eseguito:
---------------------------
Nome: Diagnosi registro eventi
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 78 ms

Test eseguito:
---------------------------
Nome: Controllo stato interno
Risultato: Completato. Codice di errore = 0x0
Tempo impiegato = 31 ms

Causa radice rilevata:
---------------------------
Strumento di ripristino all'avvio: impossibile determinare la causa del problema nonostante numerosi tentativi.

---------------------------
---------------------------

3. OTL files (please see attached)

Attached File  01042012_002435.log   181.88KB   247 downloads

Attached File  01042012_065003.log   5.86KB   83 downloads

Attached Files


Edited by emeraldire, 05 January 2012 - 01:57 PM.

  • 0

#29
emeraldire
Posted 05 January 2012 - 12:43 PM

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I am not sure if it will help or not, but here are the two ComboFix logs from the two odd runs yesterday morning that I referenced earlier in the this thread:

1. 1st run ComboFix.log at 12:26am CST (1/4/12)
ComboFix 12-01-03.08 - Wood 01/03/2012 23:15:24.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1040.18.8184.6714 [GMT -6:00]
Running from: c:\users\Wood\Desktop\ComboFix.exe
Command switches used :: c:\users\Wood\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Wood\AppData\Local\6e42i75q6s6w248232dl442y68g6x06i07owh"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Wood\AppData\Local\6e42i75q6s6w248232dl442y68g6x06i07owh
c:\users\Wood\AppData\Roaming\BGG55sQJ6dE8f
c:\users\Wood\AppData\Roaming\IqqhhYXXwkUelBt
c:\users\Wood\AppData\Roaming\IZZ9hTTXwjCeIBz
c:\users\Wood\AppData\Roaming\IZZ9hTTXwjCeIBz\AV Security 2012.ico
c:\users\Wood\AppData\Roaming\JhhhTXqqjUCk
c:\users\Wood\AppData\Roaming\q222iibD3
c:\users\Wood\AppData\Roaming\RwkkUUVelOBtP0
c:\users\Wood\AppData\Roaming\uWWKK7fRRLgTXjC
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 05:18 . 2012-01-04 05:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-04 05:18 . 2012-01-04 05:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 22:49 . 2012-01-02 22:49 -------- d-----w- c:\windows\system32\appmgmt
2012-01-02 09:18 . 2012-01-02 09:18 -------- d-----w- C:\_OTL
2011-12-23 06:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-23 06:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-23 06:38 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-23 06:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-23 06:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-23 06:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-23 06:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-17 09:55 . 2011-12-17 09:55 -------- d-----we c:\windows\system64
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 19:53 . 2011-11-18 19:53 37693341 ----a-w- C:\RehearsalDinner_2.zip
2011-11-16 00:06 . 2011-06-17 03:06 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-07 04:16 . 2011-11-15 22:48 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{655AA80F-46AC-4264-BEFD-21F5DCB6AC34}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Wood\AppData\Roaming\5C2DE ----
.
2011-11-17 08:19 . 2011-11-20 00:50 7473 ----a-w- c:\users\Wood\AppData\Roaming\5C2DE\E1E7.C2D
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_08.36.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-04 05:24 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 05:24 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 05:24 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 04:57 32346 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 04:57 31556 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 04:57 32346 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 04:57 31556 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-29 22:30 . 2012-01-04 04:57 8392 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2010-09-29 22:30 . 2012-01-04 04:57 8392 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2012-01-04 05:20 . 2012-01-04 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 05:20 . 2012-01-04 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 10:53 . 2012-01-04 05:00 701408 c:\windows\system64\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system64\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:00 628308 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system64\perfh009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:00 128626 c:\windows\system64\perfc010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system64\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:00 107870 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system64\perfc009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:00 701408 c:\windows\system32\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system32\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:00 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 10:53 . 2012-01-04 05:00 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:00 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-02 08:35 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-04 05:18 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-04 04:49 . 2012-01-04 05:18 3654596 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-8192.dat
+ 2011-05-11 08:17 . 2012-01-04 05:18 32084454 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Turbo Key"="c:\program files (x86)\ASUS\Turbo Key\TurboKey.exe" [2009-11-24 1874432]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Wood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-1-9 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 cpuz130;cpuz130;c:\users\Wood\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVIDIAHWAccess;NVIDIAHWAccess;c:\users\Wood\AppData\Roaming\NVIDIA\HWAccess.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub; [x]
S1 aswSP;aswSP; [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-11-06 122880]
S2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2010-03-12 136544]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-08-19 90112]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S3 AODDriver;AODDriver;c:\program files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2010-03-12 52280]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Citrix\ICA Client\ssonsvr.exe
c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
.
**************************************************************************
.
Completion time: 2012-01-03 23:26:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 05:26
ComboFix2.txt 2012-01-02 08:40
.
Pre-Run: 382,849,888,256 bytes free
Post-Run: 382,742,384,640 bytes free
.
- - End Of File - - 649F2C28D0C5E8F4A102DC6B6C0B0B4C


2. Second ComboFix.log file from second attempt:

ComboFix 12-01-03.08 - Wood 01/03/2012 23:51:58.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1040.18.8184.6710 [GMT -6:00]
Running from: c:\users\Wood\Desktop\ComboFix.exe
Command switches used :: c:\users\Wood\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Wood\AppData\Local\6e42i75q6s6w248232dl442y68g6x06i07owh"
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 05:55 . 2012-01-04 05:55 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-04 05:55 . 2012-01-04 05:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 22:49 . 2012-01-02 22:49 -------- d-----w- c:\windows\system32\appmgmt
2012-01-02 09:18 . 2012-01-02 09:18 -------- d-----w- C:\_OTL
2011-12-23 06:38 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-23 06:38 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-23 06:38 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-23 06:38 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-23 06:38 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-23 06:38 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-23 06:38 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-17 09:55 . 2011-12-17 09:55 -------- d-----we c:\windows\system64
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 19:53 . 2011-11-18 19:53 37693341 ----a-w- C:\RehearsalDinner_2.zip
2011-11-16 00:06 . 2011-06-17 03:06 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-07 04:16 . 2011-11-15 22:48 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{655AA80F-46AC-4264-BEFD-21F5DCB6AC34}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Wood\AppData\Roaming\5C2DE ----
.
2011-11-17 08:19 . 2011-11-20 00:50 7473 ----a-w- c:\users\Wood\AppData\Roaming\5C2DE\E1E7.C2D
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_08.36.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 06:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 05:48 32576 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 05:48 31624 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 13:25 . 2012-01-04 05:48 32576 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 05:48 31624 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-09-30 12:31 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-30 12:31 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 22:16 . 2012-01-04 04:56 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 12:31 . 2012-01-02 08:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 04:56 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-02 08:10 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-29 22:30 . 2012-01-04 05:48 8448 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2010-09-29 22:30 . 2012-01-04 05:48 8448 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1768621638-534525770-3004020928-1000_UserData.bin
+ 2012-01-04 05:56 . 2012-01-04 05:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 05:56 . 2012-01-04 05:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-02 08:36 . 2012-01-02 08:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 701408 c:\windows\system64\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system64\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 628308 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system64\perfh009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 128626 c:\windows\system64\perfc010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system64\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 107870 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system64\perfc009.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 701408 c:\windows\system32\perfh010.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 701408 c:\windows\system32\perfh010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 628308 c:\windows\system32\perfh009.dat
- 2009-07-14 10:53 . 2011-12-28 06:14 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 10:53 . 2012-01-04 05:50 128626 c:\windows\system32\perfc010.dat
+ 2009-07-14 02:36 . 2012-01-04 05:50 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-28 06:14 107870 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-02 08:35 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-04 05:55 394064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-04 04:49 . 2012-01-04 05:55 3654596 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-8192.dat
+ 2011-05-11 08:17 . 2012-01-04 05:18 32084454 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1768621638-534525770-3004020928-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Turbo Key"="c:\program files (x86)\ASUS\Turbo Key\TurboKey.exe" [2009-11-24 1874432]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Wood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-1-9 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 cpuz130;cpuz130;c:\users\Wood\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NVIDIAHWAccess;NVIDIAHWAccess;c:\users\Wood\AppData\Roaming\NVIDIA\HWAccess.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub; [x]
S1 aswSP;aswSP; [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-11-06 122880]
S2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2010-03-12 136544]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-08-19 90112]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S3 AODDriver;AODDriver;c:\program files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2010-03-12 52280]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 RTL8167;Driver Realtek 8167 NT;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Citrix\ICA Client\ssonsvr.exe
c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
.
**************************************************************************
.
Completion time: 2012-01-04 00:03:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 06:03
ComboFix2.txt 2012-01-02 08:40
.
Pre-Run: 382,851,571,712 bytes free
Post-Run: 382,742,810,624 bytes free
.
- - End Of File - - 2196D6DE499C1A939BA105E7BEF18A03
  • 0

#30
michaelg9
Posted 05 January 2012 - 02:30 PM

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

I think I understand what happened.
First of all, there is a confusion between my replies and yours.
Please follow my instructions in the order that they are and don't post back until you finish all the instructions.
Then post all the logs and information required in a single post.

given this, should I start preparing as well to restore from OS disks, as well?

I don't think this will be needed.

Next:

Open OTL as before.
Press the None button
Paste this under Custom Scans\Fixes:

D:\_OTL\MovedFiles\01042012_002435\D_Windows\*.* /s

Press Run Scan
Post the log here
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP