Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SMART Repair virus and debris cleanup [Closed]


  • This topic is locked This topic is locked

#31
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
A couple of items…(1) Just because I used my wife’s work computer to respond after this mishap occurred does NOT mean that I can (or am willing to) download applications to her computer that write executables to a USB drive that I can then run from my home computer. That’s not gonna happen.

(2) I note that one of your WintoBootic screenshots shows a step described as “Drive Formatted”. I’m not sure which drive this pertains to, but I’m not crazy about reformatting any drives that currently have content that I would like to retain. I think that your instructions need to be more specific. I am not going to blindly follow your instructions anymore. You need to tell me what it is that you are having me do with each step.

Now, since I last wrote to you, I have been able to get the “sick” computer booted into “Safe Mode with Networking”, so that I have internet access and could run programs from a command line. If you can revise your instructions so that I can do this entirely from within the affected computer, that would be a better option. And please be specific with what I am doing (AND WHY) with each step.
  • 0

Advertisements


#32
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
The Microsoft tool would not cause the problem you are experiencing with your system. All tools we use are guaranteed to be safe on a system.

If your computer can't do anything then I need another computer to download tools on or we wouldn't be able get anywhere.
The WiNToBoot program would format a flash drive that you inserted.


Step 1

Download ComboFix from one of these locations and set the Save as type to All Files before saving it.

Link 1
Link 2
Link 3


IMPORTANT !!! You need to Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

When finished, it shall produce a log for you. Please copy & paste the contents of this log at C:\ComboFix.txt in your next reply.


Step 2

How did you manage do get into Safe Mode with Networking?


Things I want to see in your next reply

  • ComboFix.txt
  • Answer to my question

  • 0

#33
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I downloaded and ran Combofix.exe. Unfortunately, I wasn’t able to completely disable my McAfee scans as the bleepingcomputer directions are for Version 7.1 and I have Version 11. When I started Combofix, it gave me a message that my McAfee tools had not been disabled, but it ran anyway, not giving me the option to discontinue. Combofix never gave me any indication that it was downloading or accessing the MSWin Recovery Console and I never saw the final two MSWin Recovery Console message windows in your instructions.

Before the Combofix finished running, the system rebooted (I don’t know if this was by design or not), but as before, it could not restart, again giving me the option of restarting normally (could not) or running Startup Repair. So I clicked on Startup Repair again. When it finished (close to 30 minutes), I looked at the detailed repair log. Once again, all the tests that it ran performed successfully, but this time the root cause was identified differently:

Unknown Bugcheck:Bugcheck a. Parameters = 0x20000009, 0x2, 0x1
0xfffff8000347d4b5.
Repair action: System files integrity check and repair
Result: Failed. Error code = 0x490

Once I got this result, I was able to Shut Down the computer through a Startup Repair window (as I did before). Upon subsequent Power On, I used the F8 button to get into Safe Mode with Networking. This is how I did that before as well, but didn’t recall how to do it until after I had written to you.

When the computer came up in Safe Mode, it was still showing a Combofix window indicating that it was preparing the log file. It finished the log file, which is attached. The desktop also has an xbootmgr.log file from Friday night when the error occurred. There’s not very much to it, but I am including it here as well.

Finally, 2 .etl files also showed up on my desktop after I ran the Combofix program. They are both time stamped from tonight and have the filenames

boot_BASE+CSWITCH+DRIVERS+POWER_1_um_premerge.etl
boot_BASE+CSWITCH+DRIVERS+POWER_1_km_premerge.etl

Odd that they showed up now. What now?

xbootmgr.log:

[2012/06/29-22:22:54.093] Detected Win7RTM physical (ReadyBoot) prefetcher; the SysMain service is auto-started.
[2012/06/29-22:22:54.153] Registering for auto-run with a 120000 msec delay...
[2012/06/29-22:22:54.153] Completed auto-run change.
[2012/06/29-22:22:54.193] Starting trace...
[2012/06/29-22:22:59.328] Enabled boot logging to 'C:\Users\Bill\Desktop\boot_BASE+CSWITCH+DRIVERS+POWER_1_km_premerge.etl'
[2012/06/29-23:59:36.952] Detected Win7RTM physical (ReadyBoot) prefetcher; the SysMain service is auto-started.
[2012/06/29-23:59:36.968] Registering for auto-run with a 120000 msec delay...
[2012/06/29-23:59:36.968] Completed auto-run change.
[2012/06/29-23:59:36.983] Starting trace...
[2012/06/29-23:59:39.744] Enabled boot logging to 'C:\Users\Bill\Desktop\boot_BASE+CSWITCH+DRIVERS+POWER_1_km_premerge.etl'


Combofix.txt:

ComboFix 12-07-01.03 - Bill 07/01/2012 19:38:52.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2936 [GMT -4:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bill\429073_intl_x64_zip.exe
c:\users\Bill\429348_intl_x64_zip.exe
c:\users\Bill\433314_intl_x64_zip.exe
c:\users\Bill\g2mdlhlpx.exe
c:\windows\SysWow64\UNWISE.EXE
.
.
((((((((((((((((((((((((( Files Created from 2012-06-02 to 2012-07-02 )))))))))))))))))))))))))))))))
.
.
2012-06-27 01:18 . 2012-06-27 01:18 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-27 01:08 . 2012-06-27 01:08 -------- d-----w- c:\programdata\Ask
2012-06-27 01:07 . 2012-06-27 01:07 -------- d-----w- c:\program files (x86)\Oracle
2012-06-26 01:08 . 2012-06-26 01:11 -------- d-----w- c:\users\Bill\Autoruns
2012-06-25 06:18 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-06-25 06:17 . 2011-05-23 05:33 1743360 ----a-w- c:\windows\system32\sysmain.dll
2012-06-25 06:17 . 2011-05-23 05:32 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2012-06-25 06:15 . 2011-03-01 08:07 27648 ----a-w- c:\windows\system32\svchost.exe
2012-06-25 06:15 . 2011-03-01 08:05 21504 ----a-w- c:\windows\SysWow64\svchost.exe
2012-06-25 04:32 . 2012-06-25 04:33 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-06-25 04:21 . 2012-06-25 04:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-06-25 04:19 . 2012-06-25 04:19 -------- d-----w- c:\program files\Microsoft SDKs
2012-06-25 02:49 . 2012-06-25 02:49 -------- d-----w- c:\windows\system32\SPReview
2012-06-25 02:32 . 2012-06-25 02:32 -------- d-----w- c:\windows\system32\EventProviders
2012-06-21 10:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:54 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:54 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 14:24 . 2012-06-20 14:25 -------- d-----w- c:\users\Bill\AppData\Local\Amazon
2012-06-13 23:37 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-11 15:54 . 2012-06-19 15:59 -------- d-----w- c:\users\Bill\OTL Log Output
2012-06-11 15:53 . 2012-06-11 15:53 -------- d-----w- c:\users\Bill\RogueKiller Log Output
2012-06-11 15:52 . 2012-06-11 15:52 -------- d-----w- c:\users\Bill\TDSKiller Log Output
2012-06-09 20:33 . 2011-12-26 19:33 284672 ----a-w- c:\windows\system32\PuranDC.exe
2012-06-09 20:33 . 2011-12-26 19:33 130048 ----a-w- c:\windows\system32\PuranDefragBT.exe
2012-06-09 20:33 . 2011-12-26 17:51 253952 ----a-w- c:\windows\system32\PuranDefrag.dll
2012-06-09 20:33 . 2012-06-09 20:33 -------- d-----w- c:\program files\Puran Defrag
2012-06-09 20:33 . 2011-12-26 19:33 1363968 ----a-w- c:\windows\system32\PuranFD.exe
2012-06-09 20:33 . 2011-12-26 19:33 289792 ----a-w- c:\windows\system32\PuranDefragS.exe
2012-06-06 13:30 . 2012-06-06 13:30 -------- d-----w- c:\program files (x86)\ESET
2012-06-06 13:30 . 2012-06-06 13:30 -------- d--h--w- c:\windows\AxInstSV
2012-06-03 23:28 . 2012-06-03 23:28 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes
2012-06-03 23:28 . 2012-06-03 23:28 -------- d-----w- c:\programdata\Malwarebytes
2012-06-03 23:28 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-03 23:28 . 2012-06-11 15:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-03 23:19 . 2012-06-03 23:19 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-06-03 23:17 . 2012-05-04 23:29 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 03:03 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 03:03 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-25 01:11 . 2012-04-11 11:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 01:11 . 2011-06-27 03:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 15:14 . 2012-05-26 03:00 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-04 23:29 . 2010-05-26 01:55 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-05-04 19:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2011-03-01 27648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 394544]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X64.sys [2010-05-25 31280]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 22584]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 220672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-23 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-12-26 289792]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 ServicepointService;ServicepointService;c:\program files (x86)\Verizon\VSP\ServicepointService.exe [2011-01-10 689464]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XBootMgrLaunch"="c:\program files\Microsoft Windows Performance Toolkit\xbootmgrSleep.exe" [2009-06-11 25896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://verizon.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESET Online Scanner - c:\program files (x86)\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
AddRemove-Hardlock Device Drivers - c:\windows\system32\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-01 20:32:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-02 00:32
.
Pre-Run: 2,161,344,512 bytes free
Post-Run: 2,556,682,240 bytes free
.
- - End Of File - - 49DDE445CAA28CCB46B3AD953F716605
  • 0

#34
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
ComboFix will not notify you of the Recovery Console in Windows 7.


Step 1

To disable Mcafee:

  • Double-click the taskbar icon to open Security Center.
  • Click Virus and Spyware Protection.
  • Click Real-Time Scanning.
  • Turn off and tell it for how long you wish it to remain that way.

Step 2

Please uninstall the following program via Control Panel > Uninstall a Program (if present):

  • Ask Toolbar
The toolbar comes bundled with many third party applications and uses aggresive advertising (see here).


Step 3

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
C:\program files (x86)\Ask.com
C:\programdata\Ask 
 
Registry:: 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-


Save this as CFScript.txt, in the same location as ComboFix.exe.


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 4

  • Click Start.
  • Select All Programs.
  • Select Accessories.
  • Right click Command Prompt and select Run as Administrator.
  • Type in the black box sfc /scannow and press Enter.
  • Once done reboot and let me know of the result
.
Can you now boot into Normal Mode properly?


Things I want to see in your next reply

  • ComboFix.txt
  • Answer to my question

  • 0

#35
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
More problems...

I disabled McAfee Realtime Scanning via the recommended procedure.

I was unable to uninstall the Ask Toolbar. I got a message stating that "Windows Installer service could not be accessed. This an occur if Windows Installer is not correctly installed."

I ran the CFScript in Combofix. Even though I had disabled McAfee Realtime Scanning, Combofix came back and was still identifying McAfee Anti-Virus and McAfee Anti-Spyware as active. I checked in the Security Center and both Realtime and Scheduled Scanning showed as OFF.

I continued with Combofix anyway. Once again, after it reached Stage 50, the computer rebooted and would not start normally, so I had to run Startup Repair again and Shut Down after it completed. I then Powered On, using the F8 key to get into Safe Mode with Networking. Once again, the Combofix screen was there, stating that it was preparing the Log file. Once it finished the logfile (about 5 minutes), I went ahead with the sfc /scannow from the command line. Verification ran completely and “Windows Resource Protection did not find any integrity violations.”

The system still does not boot properly in Normal mode.

Here is the combofix.txt log:

ComboFix 12-07-01.03 - Bill 07/02/2012 17:58:32.2.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2831 [GMT -4:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
Command switches used :: c:\users\Bill\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-02 to 2012-07-02 )))))))))))))))))))))))))))))))
.
.
2012-07-02 22:12 . 2012-07-02 22:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-02 22:12 . 2012-07-02 22:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 01:18 . 2012-06-27 01:18 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-27 01:08 . 2012-06-27 01:08 -------- d-----w- c:\programdata\Ask
2012-06-27 01:07 . 2012-06-27 01:07 -------- d-----w- c:\program files (x86)\Oracle
2012-06-26 01:08 . 2012-06-26 01:11 -------- d-----w- c:\users\Bill\Autoruns
2012-06-25 06:18 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-06-25 06:17 . 2011-05-23 05:33 1743360 ----a-w- c:\windows\system32\sysmain.dll
2012-06-25 06:17 . 2011-05-23 05:32 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2012-06-25 06:15 . 2011-03-01 08:07 27648 ----a-w- c:\windows\system32\svchost.exe
2012-06-25 06:15 . 2011-03-01 08:05 21504 ----a-w- c:\windows\SysWow64\svchost.exe
2012-06-25 04:32 . 2012-06-25 04:33 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-06-25 04:21 . 2012-06-25 04:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-06-25 04:19 . 2012-06-25 04:19 -------- d-----w- c:\program files\Microsoft SDKs
2012-06-25 02:49 . 2012-06-25 02:49 -------- d-----w- c:\windows\system32\SPReview
2012-06-25 02:32 . 2012-06-25 02:32 -------- d-----w- c:\windows\system32\EventProviders
2012-06-21 10:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:54 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:54 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 14:24 . 2012-06-20 14:25 -------- d-----w- c:\users\Bill\AppData\Local\Amazon
2012-06-13 23:37 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-11 15:54 . 2012-06-19 15:59 -------- d-----w- c:\users\Bill\OTL Log Output
2012-06-11 15:53 . 2012-06-11 15:53 -------- d-----w- c:\users\Bill\RogueKiller Log Output
2012-06-11 15:52 . 2012-06-11 15:52 -------- d-----w- c:\users\Bill\TDSKiller Log Output
2012-06-09 20:33 . 2011-12-26 19:33 284672 ----a-w- c:\windows\system32\PuranDC.exe
2012-06-09 20:33 . 2011-12-26 19:33 130048 ----a-w- c:\windows\system32\PuranDefragBT.exe
2012-06-09 20:33 . 2011-12-26 17:51 253952 ----a-w- c:\windows\system32\PuranDefrag.dll
2012-06-09 20:33 . 2012-06-09 20:33 -------- d-----w- c:\program files\Puran Defrag
2012-06-09 20:33 . 2011-12-26 19:33 1363968 ----a-w- c:\windows\system32\PuranFD.exe
2012-06-09 20:33 . 2011-12-26 19:33 289792 ----a-w- c:\windows\system32\PuranDefragS.exe
2012-06-06 13:30 . 2012-06-06 13:30 -------- d-----w- c:\program files (x86)\ESET
2012-06-06 13:30 . 2012-06-06 13:30 -------- d--h--w- c:\windows\AxInstSV
2012-06-03 23:28 . 2012-06-03 23:28 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes
2012-06-03 23:28 . 2012-06-03 23:28 -------- d-----w- c:\programdata\Malwarebytes
2012-06-03 23:28 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-03 23:28 . 2012-06-11 15:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-03 23:19 . 2012-06-03 23:19 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-06-03 23:17 . 2012-05-04 23:29 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 03:03 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 03:03 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-25 01:11 . 2012-04-11 11:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 01:11 . 2011-06-27 03:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 15:14 . 2012-05-26 03:00 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-04 23:29 . 2010-05-26 01:55 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.24.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-30 06:45 . 2012-07-01 23:56 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-06-30 06:45 . 2012-07-02 22:14 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-02 22:38 . 2012-07-02 22:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-02 22:38 . 2012-07-02 22:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:34 . 2012-07-03 02:25 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-07-02 04:07 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2011-03-01 27648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 394544]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X64.sys [2010-05-25 31280]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 22584]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 220672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-23 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-12-26 289792]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 ServicepointService;ServicepointService;c:\program files (x86)\Verizon\VSP\ServicepointService.exe [2011-01-10 689464]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XBootMgrLaunch"="c:\program files\Microsoft Windows Performance Toolkit\xbootmgrSleep.exe" [2009-06-11 25896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://verizon.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-02 18:46:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-02 22:46
.
Pre-Run: 1,950,162,944 bytes free
Post-Run: 2,824,134,656 bytes free
.
- - End Of File - - 4E9DE1547947BCE5377FB74AED4E3B2F
  • 0

#36
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Anything????
  • 0

#37
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Can you boot into Normal Mode after running the following fix?

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XBootMgrLaunch"=-


Save this as CFScript.txt, in the same location as ComboFix.exe.


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Things I want to see in your next reply

  • Answer to my question
  • ComboFix.txt

  • 0

#38
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Well, the short answer is no, I still can’t boot into Normal Mode. But I have some additional info:

I ran the Combofix script twice this afternoon, because…

During the first restart, I observed a blue screen, which stayed up for about 5 seconds before the system continued to the “Normal Restart/Startup Repair” screen. I also received a subsequent error message identifying the event:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: FFFFFFFFC0000005
BCP2: FFFFF800035849B7
BCP3: FFFFF880031BCDE8
BCP4: FFFFF880031BC640
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\070712-64756-01.dmp
C:\Users\Bill\AppData\Local\Temp\WER-114816-0.sysdata.xml

I also noticed (before the screen went away) that it said something about the C drive possibly not having enough free space to complete the restart. I have not seen the bluescreen before (although I have sometimes left the room while Combofix was running) and I have NEVER seen the error message before. However, the Windows/Minidump directory did have 4 other *.dmp files dating back to 6/29, when I first encountered the Restart problem. Oddly, the Users\Bill\AppData\Local\Temp directory has no *.xml files, only ~****.TMP files.

I waited through another Startup Repair, where once again, no tests failed but this time the Root Cause identified was “A recent driver installation may be preventing the system from starting”. I was able to Shut Down and then get back into Safe Mode. I deleted some files off the C drive, leaving about 11 GB free.

Then I went through the Combofix process again, hoping that freeing up space on the C drive had helped. It did not. The second time through, the Startup Repair results showed the Root Cause of Startup failure as “Unknown BugCheck: BugCheck 1e, Parameters = 0x0, 0x0, 0x0, 0x0”. I did not see a blue screen during the second Combofix restart. I am posting both combofix.txt logs below.

One thing about the Combofix process is still bothering me -- Although I continue to disable Realtime and Scheduled processing (as well as Firewall and Anti-Spam) through the McAfee Security Center prior to each Combofix run, Combofix still flags McAfee Anti-Virus and Anti-Spyware as running. I know that I have mentioned this to you before, so I take it that you are not concerned about any potential conflict. Please let me know if you think this is having any effect on the Combofix runs.

Anyway, as you can guess, I am getting tired of having to run in Safe Mode, but at least I still have that. Let me know if the blue screen “wrinkle” adds any more to the answer or gives you an “Ah ha!” moment.

Here are the Combofix logs:

First (7/7/12, ~4 PM)

ComboFix 12-07-01.03 - Bill 07/07/2012 15:13:38.3.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2855 [GMT -4:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
Command switches used :: c:\users\Bill\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 19:27 . 2012-07-07 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-07 19:27 . 2012-07-07 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 01:18 . 2012-06-27 01:18 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-27 01:08 . 2012-06-27 01:08 -------- d-----w- c:\programdata\Ask
2012-06-27 01:07 . 2012-06-27 01:07 -------- d-----w- c:\program files (x86)\Oracle
2012-06-26 01:08 . 2012-06-26 01:11 -------- d-----w- c:\users\Bill\Autoruns
2012-06-25 06:18 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-06-25 06:17 . 2011-05-23 05:33 1743360 ----a-w- c:\windows\system32\sysmain.dll
2012-06-25 06:17 . 2011-05-23 05:32 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2012-06-25 06:15 . 2011-03-01 08:07 27648 ----a-w- c:\windows\system32\svchost.exe
2012-06-25 06:15 . 2011-03-01 08:05 21504 ----a-w- c:\windows\SysWow64\svchost.exe
2012-06-25 04:32 . 2012-06-25 04:33 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-06-25 04:21 . 2012-06-25 04:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-06-25 04:19 . 2012-06-25 04:19 -------- d-----w- c:\program files\Microsoft SDKs
2012-06-25 02:49 . 2012-06-25 02:49 -------- d-----w- c:\windows\system32\SPReview
2012-06-25 02:32 . 2012-06-25 02:32 -------- d-----w- c:\windows\system32\EventProviders
2012-06-21 10:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:54 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:54 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 14:24 . 2012-06-20 14:25 -------- d-----w- c:\users\Bill\AppData\Local\Amazon
2012-06-13 23:37 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-11 15:54 . 2012-06-19 15:59 -------- d-----w- c:\users\Bill\OTL Log Output
2012-06-11 15:53 . 2012-06-11 15:53 -------- d-----w- c:\users\Bill\RogueKiller Log Output
2012-06-11 15:52 . 2012-06-11 15:52 -------- d-----w- c:\users\Bill\TDSKiller Log Output
2012-06-09 20:33 . 2011-12-26 19:33 284672 ----a-w- c:\windows\system32\PuranDC.exe
2012-06-09 20:33 . 2011-12-26 19:33 130048 ----a-w- c:\windows\system32\PuranDefragBT.exe
2012-06-09 20:33 . 2011-12-26 17:51 253952 ----a-w- c:\windows\system32\PuranDefrag.dll
2012-06-09 20:33 . 2012-06-09 20:33 -------- d-----w- c:\program files\Puran Defrag
2012-06-09 20:33 . 2011-12-26 19:33 1363968 ----a-w- c:\windows\system32\PuranFD.exe
2012-06-09 20:33 . 2011-12-26 19:33 289792 ----a-w- c:\windows\system32\PuranDefragS.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 03:03 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 03:03 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-25 01:11 . 2012-04-11 11:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 01:11 . 2011-06-27 03:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 15:14 . 2012-05-26 03:00 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-04 23:29 . 2012-06-03 23:17 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-04 23:29 . 2010-05-26 01:55 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.24.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-30 06:45 . 2012-07-01 23:56 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-06-30 06:45 . 2012-07-07 19:28 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 19:55 . 2012-07-07 19:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 19:55 . 2012-07-07 19:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-07-07 18:31 721550 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-07 18:31 142382 c:\windows\system32\perfc009.dat
- 2009-07-14 02:34 . 2012-07-02 04:07 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-07-07 23:40 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2011-03-01 27648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 394544]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X64.sys [2010-05-25 31280]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 22584]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 220672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-23 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-12-26 289792]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 ServicepointService;ServicepointService;c:\program files (x86)\Verizon\VSP\ServicepointService.exe [2011-01-10 689464]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XBootMgrLaunch"="c:\program files\Microsoft Windows Performance Toolkit\xbootmgrSleep.exe" [2009-06-11 25896]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://verizon.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-07 16:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 20:03
ComboFix2.txt 2012-07-02 22:46
.
Pre-Run: 1,902,759,936 bytes free
Post-Run: 2,345,500,672 bytes free
.
- - End Of File - - 485869162CA68F89CC02C0CFE3111EF7


Second (7/7/12, ~645 PM)

ComboFix 12-07-01.03 - Bill 07/07/2012 17:59:05.4.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2864 [GMT -4:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
Command switches used :: c:\users\Bill\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 22:13 . 2012-07-07 22:13 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-07 22:13 . 2012-07-07 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 01:18 . 2012-06-27 01:18 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-27 01:08 . 2012-06-27 01:08 -------- d-----w- c:\programdata\Ask
2012-06-27 01:07 . 2012-06-27 01:07 -------- d-----w- c:\program files (x86)\Oracle
2012-06-26 01:08 . 2012-06-26 01:11 -------- d-----w- c:\users\Bill\Autoruns
2012-06-25 06:18 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-06-25 06:17 . 2011-05-23 05:33 1743360 ----a-w- c:\windows\system32\sysmain.dll
2012-06-25 06:17 . 2011-05-23 05:32 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2012-06-25 06:15 . 2011-03-01 08:07 27648 ----a-w- c:\windows\system32\svchost.exe
2012-06-25 06:15 . 2011-03-01 08:05 21504 ----a-w- c:\windows\SysWow64\svchost.exe
2012-06-25 04:32 . 2012-06-25 04:33 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-06-25 04:21 . 2012-06-25 04:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-06-25 04:19 . 2012-06-25 04:19 -------- d-----w- c:\program files\Microsoft SDKs
2012-06-25 02:49 . 2012-06-25 02:49 -------- d-----w- c:\windows\system32\SPReview
2012-06-25 02:32 . 2012-06-25 02:32 -------- d-----w- c:\windows\system32\EventProviders
2012-06-21 10:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:54 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:54 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 14:24 . 2012-06-20 14:25 -------- d-----w- c:\users\Bill\AppData\Local\Amazon
2012-06-13 23:37 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-11 15:54 . 2012-06-19 15:59 -------- d-----w- c:\users\Bill\OTL Log Output
2012-06-11 15:53 . 2012-06-11 15:53 -------- d-----w- c:\users\Bill\RogueKiller Log Output
2012-06-11 15:52 . 2012-06-11 15:52 -------- d-----w- c:\users\Bill\TDSKiller Log Output
2012-06-09 20:33 . 2011-12-26 19:33 284672 ----a-w- c:\windows\system32\PuranDC.exe
2012-06-09 20:33 . 2011-12-26 19:33 130048 ----a-w- c:\windows\system32\PuranDefragBT.exe
2012-06-09 20:33 . 2011-12-26 17:51 253952 ----a-w- c:\windows\system32\PuranDefrag.dll
2012-06-09 20:33 . 2012-06-09 20:33 -------- d-----w- c:\program files\Puran Defrag
2012-06-09 20:33 . 2011-12-26 19:33 1363968 ----a-w- c:\windows\system32\PuranFD.exe
2012-06-09 20:33 . 2011-12-26 19:33 289792 ----a-w- c:\windows\system32\PuranDefragS.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 03:03 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 03:03 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-25 01:11 . 2012-04-11 11:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 01:11 . 2011-06-27 03:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 15:14 . 2012-05-26 03:00 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-04 23:29 . 2012-06-03 23:17 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-04 23:29 . 2010-05-26 01:55 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.24.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-30 06:45 . 2012-07-01 23:56 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-06-30 06:45 . 2012-07-07 22:14 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 22:40 . 2012-07-07 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 22:40 . 2012-07-07 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-07-07 21:50 721550 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-07 21:50 142382 c:\windows\system32\perfc009.dat
- 2009-07-14 02:34 . 2012-07-02 04:07 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-07-08 02:25 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2011-03-01 27648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 394544]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X64.sys [2010-05-25 31280]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 22584]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 220672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-23 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-12-26 289792]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 ServicepointService;ServicepointService;c:\program files (x86)\Verizon\VSP\ServicepointService.exe [2011-01-10 689464]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://verizon.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-07 18:50:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 22:50
ComboFix2.txt 2012-07-02 22:46
.
Pre-Run: 13,463,834,624 bytes free
Post-Run: 13,083,426,816 bytes free
.
- - End Of File - - 4AF8DDB1C3BD7D7BE16786397D80F1C8
  • 0

#39
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
By the way, whenever I run Combofix, I get a message before it kicks off that there is a newer version available. I have been declining the update before I run. The version that I am running is 12.7.1.3. I got it last week at one of the sites that you suggested. Should I be running something newer? Does it matter?
  • 0

#40
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Run ComboFix again but allow it to update this time. This means the tool could catch any latest infections you may have picked up.
  • 0

Advertisements


#41
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Still no luck with booting into Normal mode. I let Combofix update to the latest version. It seemed to run a bit longer, but no other differences. There was no blue screen upon the Combofix restart this time, but it doesn't always occur anyway. The Combofix log output file is posted below.

ComboFix 12-07-10.01 - Bill 07/10/2012 17:44:59.6.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2887 [GMT -4:00]
Running from: c:\users\Bill\Desktop\ComboFix.exe
Command switches used :: c:\users\Bill\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 21:59 . 2012-07-10 21:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-07-10 21:59 . 2012-07-10 21:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 01:18 . 2012-06-27 01:18 -------- d-----w- c:\program files (x86)\Ask.com
2012-06-27 01:08 . 2012-06-27 01:08 -------- d-----w- c:\programdata\Ask
2012-06-27 01:07 . 2012-06-27 01:07 -------- d-----w- c:\program files (x86)\Oracle
2012-06-26 01:08 . 2012-06-26 01:11 -------- d-----w- c:\users\Bill\Autoruns
2012-06-25 06:18 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-06-25 06:17 . 2011-05-23 05:33 1743360 ----a-w- c:\windows\system32\sysmain.dll
2012-06-25 06:17 . 2011-05-23 05:32 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2012-06-25 06:15 . 2011-03-01 08:07 27648 ----a-w- c:\windows\system32\svchost.exe
2012-06-25 06:15 . 2011-03-01 08:05 21504 ----a-w- c:\windows\SysWow64\svchost.exe
2012-06-25 04:32 . 2012-06-25 04:33 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-06-25 04:21 . 2012-06-25 04:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-06-25 04:19 . 2012-06-25 04:19 -------- d-----w- c:\program files\Microsoft SDKs
2012-06-25 02:49 . 2012-06-25 02:49 -------- d-----w- c:\windows\system32\SPReview
2012-06-25 02:32 . 2012-06-25 02:32 -------- d-----w- c:\windows\system32\EventProviders
2012-06-21 10:55 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 10:55 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 10:55 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 10:55 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 10:54 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 10:54 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 10:54 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 10:54 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 10:54 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-20 14:24 . 2012-06-20 14:25 -------- d-----w- c:\users\Bill\AppData\Local\Amazon
2012-06-13 23:37 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-11 15:54 . 2012-06-19 15:59 -------- d-----w- c:\users\Bill\OTL Log Output
2012-06-11 15:53 . 2012-06-11 15:53 -------- d-----w- c:\users\Bill\RogueKiller Log Output
2012-06-11 15:52 . 2012-06-11 15:52 -------- d-----w- c:\users\Bill\TDSKiller Log Output
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 03:03 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 03:03 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-06-25 01:11 . 2012-04-11 11:37 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 01:11 . 2011-06-27 03:24 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 15:14 . 2012-05-26 03:00 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-04 23:29 . 2012-06-03 23:17 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-04 23:29 . 2010-05-26 01:55 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.24.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-30 06:45 . 2012-07-01 23:56 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-06-30 06:45 . 2012-07-10 22:00 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-10 22:36 . 2012-07-10 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-10 22:36 . 2012-07-10 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-02 00:23 . 2012-07-02 00:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-07-08 16:34 721550 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-08 16:34 142382 c:\windows\system32\perfc009.dat
- 2009-07-14 02:34 . 2012-07-02 04:07 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-07-11 02:12 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2011-03-01 27648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-03-17 517632]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 394544]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [2010-07-20 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [2010-07-20 185640]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 135664]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-09-26 233984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X64.sys [2010-05-25 31280]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 22584]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 220672]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-23 1255736]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 10752]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-12-26 289792]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 ServicepointService;ServicepointService;c:\program files (x86)\Verizon\VSP\ServicepointService.exe [2011-01-10 689464]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 21:23]
.
2012-06-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://verizon.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-10 18:45:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-10 22:45
ComboFix2.txt 2012-07-02 22:46
.
Pre-Run: 8,364,470,272 bytes free
Post-Run: 8,308,744,192 bytes free
.
- - End Of File - - 7C1D8584793FA80F1A7110B8EBC931D0
  • 0

#42
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
I want you to perform a clean boot so we can determine if a background program or service is causing the problem.


Step 1

  • Click Start.
  • Type msconfig in the Start Search box, and then press Enter.
  • If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation.

Step 2

  • In the System Configuration Utility dialog box, click Selective Startup on the General tab.
  • Click to clear the Load Startup Items check box.
  • Click the Services tab.
  • Click to select the Hide All Microsoft Services check box.
  • Click Disable All, and then click OK.
  • When you are prompted, click Restart.

Step 3

Log on to Windows.
If Windows behaves itself then do the following:

Restart MSConfig and select half of the disabled services and reboot.
Is the problem still present?

If Yes then deselect half of the services that you resumed and reboot.
If No then select half of the remaining services and reboot.

The intention here is to isolate the one service/driver that is causing the problem.
  • 0

#43
bigpor2gee

bigpor2gee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
No dice. After I disabled all the services, and hit restart, the system went into reboot but eventually led to a blue screen. Windows would not start normally after that, bringing me back to my to the usual Startup Repair/Normal Mode choice. After the failed Startup Repair and subsequent Shut Down, I brought the system back into Safe Mode. The blue screen error log was as follows:


Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: 000000000000DF6A
BCP2: 0000000000000002
BCP3: 0000000000000001
BCP4: FFFFF800034604B5
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\071312-60387-01.dmp
C:\Users\Bill\AppData\Local\Temp\WER-93631-0.sysdata.xml


After that I tried it again. When I went into the Servies tab of the System Config Utility, the following services were checked and marked as running (I had shut them off prior to the reboot):

McAfee Personal Firewall
McAfee McShield
McAfee Firewall Core Service
McAfee Validation Trust Protection Service


I checked them off again and restarted. This time the system did not go to blue screen but also did not start normally. After the Startup Repair ran (once again, none of it's tests failed), the result was:

Unspecified change to system configuration might have caused the problem
Repair action: System files integrity check and repair
Result: Failed. Error Code = 0x490


I just checked the System Config Utility again and the same 4 McAfee services are running again.

That's all I have to report. I'm sure you are frustrated about this like I am, but please write back sooner than 3 days, if you can. I am about to start a 2 week vacation starting this Friday and would like to have this resolved by then, if possible.
  • 0

#44
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

My tutor tried to replicate your problem to see if we could find a possible solution. The results are below:

I ran a test on my system yesterday with xbootmgr and I stopped it halfway through, rebooted during a run, used the text extraction that you posted.... Also tried a few more stupid things but could not break my system (I did an image backup prior to this of course)

So as to what happened I have no idea... As I could not replicate it no matter how hard I tried.


Unfortunately, I have to come to the last resort of reformatting your computer.

There are some suggestions here on how you can backup your data.

The page here gives you some more information about how to do a reformat.

Let me know how you get on! :thumbsup:
  • 0

#45
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Have you had the opportunity to follow my instructions yet?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP