Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need help to remove TR/Crypt.xpack.gen3 on Win7 please.

Started by IBGrizzly , Feb 21 2015 11:37 PM

Please log in to reply

#1
IBGrizzly

Posted 21 February 2015 - 11:37 PM

Member

Member
32 posts

Notebook hung up in boot sequence at the "Loading Windows" message. Rebooted to Safe Mode and did a Rollback since Windows update had been installed the day before. Rebooted to full Win7 operation and seemed to work as it should. Updated and ran Kaspersky IS, MalwareBytes and SuperAntiSpyWare. Nothing was found. Continued using the computer that evening.

The next day the notebook hung up in boot sequence at the "Loading Windows" message again. Restarted in Safe mode and ran Kaspersky IS, MalwareBytes and SuperAntiSpyware scans (all 3 are subscription version) as Admin, all reported clean. Ran System Mechanic Pro 14.0 and it reported problems in registry and problems with the HD. Had program automatically repair both, multiple reboots before finished. Still would not boot to Win7. Safe Mode boot and SM reported all errors repaired successfully, no other problems found.

Rebooted in safe mode and ran Avira on line scan. It identified over 125 files infected with TR/Crypt.xpack.gen2 and gen3. It reported the gen2 files deleted but could not remove the gen3. I went to another computer and logged in to Kaspersky and Avira to see how to delete the file. Avira had no further instructions. Kaspersky had no listing and when I tried to ask for tech support I needed to include the names of the infected file(s) and upload a sample. Rescanned notebook with Avira to select a few examples to send and it could not find the Trojan. Assuming the cleaning worked after all, rebooted computer only to have it hang in the same location of the boot sequence.

Answers.microsoft.com instructed to run MalwareBytes then MRT then HitmanPro. Nothing found by them. Checked your website but found no reference to this Trojan. Computer still will not boot normally.

Internet search showed multiple sites with information on how to remove but no sites that I had heard of and wanted me to download unknown (to me) cleaners so I came back to G2G as your archived instructions helped me remove Vongo from a previous notebook.

Computer is a Toshiba Satellite L675D S7052 with Win7 Pro installed. Infection appeared after my wife was looking for/downloading Crochet patterns and instructions on several crochet sites and U-Tube videos.

Thank you for your consideration in helping me solve this problem,

Ron

#2
RKinner

Posted 22 February 2015 - 10:45 AM

Malware Expert

Expert
24,625 posts

Once you download Combofix, reboot into Safe Mode with Networking before you try to run it by right clicking and Run As Admin. Make sure anti-virus is off.

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

:!: Turn off your screen saver so you can see what is going on

Download and Save this file -- to your Desktop -- from either of these two sources:

http://download.blee...Bs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

You should get a log when it finishes. If not this may mean you have the new version of Zero Access malware so run Combofix a second time.

If you still don't get a log search for Combofix.txt. It is usually at => C:\Combofix\Combofix.txt. I'll need to see that in your reply.

If you get an error about a registry value when you try to run a program, then just reboot to clear it.

#3
IBGrizzly

Posted 22 February 2015 - 03:33 PM

Member

Topic Starter
Member
32 posts

ComboFix.txt 27.29KB 295 downloads

Thank you for accepting the challenge,

Note, I followed your instructions and the Kaspersky icon in task bar was already gray and said "Resume Protection". Opened program and turned off every switch in the GUI I could find, then clicked on task bar icon and selected exit. Combofix still indicated protection was running. Rechecked everything and all showed "red", "off" or "disabled". Exited via icon again and clicked OK. Combofix still indicated protection was enabled. Tried to X out so I could reboot but Combofix continued anyway.

Scan took a little over 10 min and report appeared. See attachment.

Regards,

Ron

ComboFix 15-02-16.01 - Ronald 02/22/2015 14:54:50.1.2 - x64 NETWORK

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3836.2724 [GMT -6:00]

Running from: c:\users\Ronald\Downloads\ComboFix.exe

AV: Kaspersky Internet Security *Enabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}

FW: Kaspersky Internet Security *Enabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}

SP: Kaspersky Internet Security *Enabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Install.exe

c:\windows\msdownld.tmp

((((((((((((((((((((((((( Files Created from 2015-01-22 to 2015-02-22 )))))))))))))))))))))))))))))))

2015-02-22 21:01 . 2015-02-22 21:01 -------- d-----w- c:\users\Tommie\AppData\Local\temp

2015-02-22 21:01 . 2015-02-22 21:01 -------- d-----w- c:\users\owner\AppData\Local\temp

2015-02-22 21:01 . 2015-02-22 21:01 -------- d-----w- c:\users\Default\AppData\Local\temp

2015-02-22 20:35 . 2015-02-22 20:35 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6BC559D1-62CE-4ED7-9D48-5861ADC4F64B}\offreg.dll

2015-02-19 11:30 . 2013-09-20 16:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe

2015-02-19 11:30 . 2015-02-19 11:31 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2

2015-02-19 11:20 . 2015-02-19 11:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2015-02-19 10:59 . 2015-02-19 11:17 -------- d-----w- C:\OETemp

2015-02-19 10:53 . 2015-02-19 10:53 -------- d-----w- c:\users\Ronald\AppData\Roaming\QuickScan

2015-02-19 10:06 . 2015-02-19 10:25 -------- d-----w- c:\programdata\HitmanPro

2015-02-19 08:59 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6BC559D1-62CE-4ED7-9D48-5861ADC4F64B}\mpengine.dll

2015-02-14 02:52 . 2015-02-15 02:12 129752 ----a-w- c:\windows\system32\drivers\4B715396.sys

2015-02-10 01:54 . 2015-02-10 01:54 129752 ----a-w- c:\windows\system32\drivers\7FAB6EAA.sys

2015-02-08 23:53 . 2015-02-08 23:53 129752 ----a-w- c:\windows\system32\drivers\3A8A43D2.sys

2015-02-08 21:55 . 2015-02-08 21:55 129752 ----a-w- c:\windows\system32\drivers\39F4697B.sys

2015-02-08 20:42 . 2015-02-08 20:42 129752 ----a-w- c:\windows\system32\drivers\7B2131E4.sys

2015-02-08 20:32 . 2015-02-08 20:32 129752 ----a-w- c:\windows\system32\drivers\49CA2A05.sys

2015-02-08 20:25 . 2015-02-08 20:25 5070512 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2015-02-07 18:38 . 2015-02-07 18:38 -------- d-sh--w- c:\users\Ronald\AppData\Local\EmieBrowserModeList

2015-02-07 18:12 . 2015-02-08 19:42 -------- d-----w- c:\program files (x86)\GUM4A96.tmp

2015-02-01 16:29 . 2015-02-14 03:07 -------- d-----w- c:\programdata\Malwarebytes Anti-Exploit

2015-02-01 16:29 . 2015-02-01 16:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Exploit

2015-02-01 16:18 . 2015-02-01 16:18 -------- d-----w- c:\programdata\Motorola

2015-02-01 16:09 . 2015-02-01 16:09 -------- d-----w- c:\program files (x86)\Motorola

2015-02-01 16:09 . 2015-02-01 16:17 -------- d-----w- c:\program files (x86)\Motorola Mobility

2015-02-01 16:06 . 2015-02-01 16:06 -------- d-----w- c:\program files\Motorola Mobility LLC

2015-02-01 16:06 . 2015-02-01 16:06 -------- d-----w- c:\program files\Common Files\Motorola Shared

2015-01-31 23:18 . 2015-01-31 23:18 -------- d-----w- c:\users\Tommie\AppData\Roaming\Motorola

2015-01-31 20:16 . 2015-02-16 19:21 -------- d-----w- c:\users\Tommie\AppData\Roaming\iolo

2015-01-31 03:08 . 2014-08-13 05:41 2155152 ----a-w- c:\windows\system32\Incinerator64.dll

2015-01-31 03:08 . 2014-08-13 05:41 2097984 ----a-w- c:\windows\SysWow64\Incinerator32.dll

2015-01-31 03:08 . 2014-08-13 05:57 57584 ----a-w- c:\windows\system32\iolobtdfg.exe

2015-01-31 03:08 . 2014-08-13 05:57 26184 ----a-w- c:\windows\system32\smrgdf.exe

2015-01-31 03:08 . 2014-08-13 05:35 82160 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys

2015-01-31 03:08 . 2014-08-13 05:35 69000 ----a-w- c:\windows\system32\offreg.dll

2015-01-31 03:08 . 2014-08-13 05:35 56200 ----a-w- c:\windows\SysWow64\offreg.dll

2015-01-31 03:08 . 2015-01-31 03:08 -------- d-----w- c:\program files (x86)\iolo

2015-01-31 03:03 . 2014-08-13 05:38 32912 ----a-w- c:\windows\system32\drivers\rawdsk3.sys

2015-01-31 03:03 . 2015-01-31 03:03 -------- d-----w- C:\logs

2015-01-31 03:03 . 2015-01-31 03:03 74703 ----a-w- c:\windows\SysWow64\mfc45.dat

2015-01-31 03:03 . 2015-01-31 03:03 -------- d-----w- C:\iolo

2015-01-31 03:02 . 2015-01-31 21:21 -------- d-----w- c:\programdata\iolo

2015-01-31 03:02 . 2015-01-31 05:45 -------- d-----w- c:\users\Ronald\AppData\Roaming\iolo

2015-01-31 01:13 . 2015-01-31 03:18 129752 ----a-w- c:\windows\system32\drivers\2A32425D.sys

2015-01-30 02:18 . 2014-12-13 05:09 144384 ----a-w- c:\windows\system32\ieUnatt.exe

2015-01-30 02:18 . 2014-12-13 03:33 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2015-01-30 02:18 . 2014-12-19 03:06 210432 ----a-w- c:\windows\system32\profsvc.dll

2015-01-30 02:18 . 2014-12-06 04:17 303616 ----a-w- c:\windows\system32\nlasvc.dll

2015-01-30 02:18 . 2014-12-06 03:50 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll

2015-01-30 02:18 . 2014-12-06 03:50 156672 ----a-w- c:\windows\SysWow64\ncsi.dll

2015-01-30 02:17 . 2014-12-19 01:46 141312 ----a-w- c:\windows\system32\drivers\mrxdav.sys

2015-01-30 02:17 . 2014-12-12 05:35 5553592 ----a-w- c:\windows\system32\ntoskrnl.exe

2015-01-30 02:17 . 2014-12-12 05:11 3971512 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2015-01-30 02:17 . 2014-12-12 05:11 3916728 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2015-01-30 02:17 . 2014-12-12 05:31 503808 ----a-w- c:\windows\system32\srcore.dll

2015-01-30 02:17 . 2014-12-12 05:31 296960 ----a-w- c:\windows\system32\rstrui.exe

2015-01-30 02:17 . 2014-12-12 05:31 50176 ----a-w- c:\windows\system32\srclient.dll

2015-01-30 02:17 . 2014-12-12 05:07 43008 ----a-w- c:\windows\SysWow64\srclient.dll

2015-01-30 02:17 . 2014-12-11 17:47 87040 ----a-w- c:\windows\system32\TSWbPrxy.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2015-02-19 01:44 . 2014-09-27 06:12 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2015-02-08 20:25 . 2012-07-22 00:26 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2015-02-08 20:25 . 2011-06-09 03:09 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2015-01-30 02:20 . 2010-10-31 18:17 113365784 ----a-w- c:\windows\system32\MRT.exe

2015-01-08 15:55 . 2010-10-31 18:19 298120 ----a-w- c:\windows\system32\MpSigStub.exe

2015-01-04 23:41 . 2015-01-04 23:41 129752 ----a-w- c:\windows\system32\drivers\3FF50C32.sys

2015-01-02 06:06 . 2015-01-02 06:06 129752 ----a-w- c:\windows\system32\drivers\4FE648C2.sys

2014-12-29 21:37 . 2014-12-29 21:37 129752 ----a-w- c:\windows\system32\drivers\2388586E.sys

2014-12-19 21:20 . 2014-12-17 03:45 129752 ----a-w- c:\windows\system32\drivers\36B67A37.sys

2014-12-09 23:25 . 2014-12-08 00:45 129752 ----a-w- c:\windows\system32\drivers\33BC316B.sys

2014-12-06 19:55 . 2014-12-06 19:55 129752 ----a-w- c:\windows\system32\drivers\04B8056E.sys

2014-12-04 02:50 . 2014-12-20 15:52 413184 ----a-w- c:\windows\system32\generaltel.dll

2014-12-04 02:50 . 2014-12-20 15:52 741376 ----a-w- c:\windows\system32\invagent.dll

2014-12-04 02:50 . 2014-12-20 15:52 396800 ----a-w- c:\windows\system32\devinv.dll

2014-12-04 02:50 . 2014-12-20 15:52 830976 ----a-w- c:\windows\system32\appraiser.dll

2014-12-04 02:50 . 2014-12-20 15:52 192000 ----a-w- c:\windows\system32\aepic.dll

2014-12-04 02:50 . 2014-12-20 15:52 227328 ----a-w- c:\windows\system32\aepdu.dll

2014-12-04 02:44 . 2014-12-20 15:52 1083392 ----a-w- c:\windows\system32\aeinv.dll

2014-12-01 23:28 . 2014-12-20 15:52 1232040 ----a-w- c:\windows\system32\aitstatic.exe

2014-11-30 23:38 . 2014-11-30 23:38 129752 ----a-w- c:\windows\system32\drivers\36055B42.sys

2014-11-27 01:43 . 2014-12-20 15:53 389296 ----a-w- c:\windows\system32\iedkcs32.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2015-01-30 7780120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]

"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]

"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"WD Quick View"="c:\program files (x86)\Western Digital\WD Quick View\WDDMStatus.exe" [2014-07-22 5562736]

"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-10 2561848]

"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application" [2010-6-24 9216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]

R1 klpd;klpd;c:\windows\system32\DRIVERS\klpd.sys;c:\windows\SYSNATIVE\DRIVERS\klpd.sys [x]

R1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]

R1 RawDisk3;RawDisk3;c:\windows\system32\drivers\rawdsk3.sys;c:\windows\SYSNATIVE\drivers\rawdsk3.sys [x]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]

R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]

R2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys;c:\windows\SYSNATIVE\DRIVERS\PDFsFilter.sys [x]

R2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]

R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]

R2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [x]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]

R2 WDBackup;WD Backup;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [x]

R2 WDDriveService;WD Drive Manager;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [x]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys;c:\windows\SYSNATIVE\DRIVERS\ivusb.sys [x]

R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]

R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]

R3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]

R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys;c:\windows\SYSNATIVE\DRIVERS\vpcuxd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]

R4 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]

R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

R4 klflt;klflt;c:\windows\system32\DRIVERS\klflt.sys;c:\windows\SYSNATIVE\DRIVERS\klflt.sys [x]

S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]

S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]

S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [x]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2015-02-06 02:10 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.111\Installer\chrmstp.exe

Contents of the 'Scheduled Tasks' folder

2015-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 20:25]

2015-02-19 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job

- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2015-02-19 17:52]

2015-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 18:55]

2015-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 18:55]

2015-02-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job

- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2015-02-19 16:41]

2015-02-19 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job

- c:\program files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2015-02-19 16:42]

2015-02-17 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 3b41acea-803c-4887-901a-aa2128d958c5.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]

2015-02-06 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 7776d1a6-5432-464c-8373-06202368eea0.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]

--------- X64 Entries -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

------- Supplementary Scan -------

uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.50.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_32.CAB

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

Wow6432Node-HKLM-RunOnce-SMRequiresRestart - (no file)

Notify-SDWinLogon - SDWinLogon.dll

SafeBoot-MBAMSwissArmy

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.16"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

"Key"="ActionsPane3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

Completion time: 2015-02-22 15:04:02

ComboFix-quarantined-files.txt 2015-02-22 21:04

Pre-Run: 365,091,291,136 bytes free

Post-Run: 364,894,076,928 bytes free

- - End Of File - - 42ABCA5409743C9642D87A87DDF16AB7

#4
RKinner

Posted 22 February 2015 - 06:52 PM

Malware Expert

Expert
24,625 posts

Can you uninstall Spybot and make sure its immunizing is undone when it uninstalls. It really makes it harder to make changes. It looks to me like MBAM has been compromised. It's c:\windows\system32\drivers\MBAMSwissArmy.sys is supposed to be 40K or so instead it is only 129752 which is the exact size of the 14 randomly named .sys files which I suspect is your infection.

I'm going to try to get Combofix to remove the .sys files and also the MBAM file but MBAM is not going to like it so we may have to uninstall MBAM first but let's try a CRFScript first:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

DirLook::

C:\Program Files\Common

%user%\library

File::

c:\windows\system32\drivers\4B715396.sys

c:\windows\system32\drivers\7FAB6EAA.sys

c:\windows\system32\drivers\3A8A43D2.sys

c:\windows\system32\drivers\39F4697B.sys

c:\windows\system32\drivers\7B2131E4.sys

c:\windows\system32\drivers\49CA2A05.sys

c:\windows\SysWow64\FlashPlayerInstaller.exe

c:\users\Ronald\AppData\Local\EmieBrowserModeList

c:\program files (x86)\GUM4A96.tmp

c:\windows\system32\drivers\3FF50C32.sys

c:\windows\system32\drivers\4FE648C2.sys

c:\windows\system32\drivers\2388586E.sys

c:\windows\system32\drivers\36B67A37.sys

c:\windows\system32\drivers\33BC316B.sys

c:\windows\system32\drivers\04B8056E.sys

c:\windows\SysWow64\FlashPlayerApp.exe

c:\windows\SysWow64\FlashPlayerCPLApp.cpl

c:\windows\system32\drivers\36055B42.sys

c:\windows\system32\drivers\MBAMSwissArmy.sys

Driver::

MBAMSwissArmy

RootKit::

c:\windows\system32\drivers\4B715396.sys

c:\windows\system32\drivers\7FAB6EAA.sys

c:\windows\system32\drivers\3A8A43D2.sys

c:\windows\system32\drivers\39F4697B.sys

c:\windows\system32\drivers\7B2131E4.sys

c:\windows\system32\drivers\49CA2A05.sys

c:\windows\SysWow64\FlashPlayerInstaller.exe

c:\users\Ronald\AppData\Local\EmieBrowserModeList

c:\program files (x86)\GUM4A96.tmp

c:\windows\system32\drivers\3FF50C32.sys

c:\windows\system32\drivers\4FE648C2.sys

c:\windows\system32\drivers\2388586E.sys

c:\windows\system32\drivers\36B67A37.sys

c:\windows\system32\drivers\33BC316B.sys

c:\windows\system32\drivers\04B8056E.sys

c:\windows\SysWow64\FlashPlayerApp.exe

c:\windows\SysWow64\FlashPlayerCPLApp.cpl

c:\windows\system32\drivers\36055B42.sys

c:\windows\system32\drivers\MBAMSwissArmy.sys

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

#5
IBGrizzly

Posted 22 February 2015 - 10:01 PM

Member

Topic Starter
Member
32 posts

CFLog 150221-2057.txt 26.54KB 296 downloads

Opened Spybot and turned off all immunizations then used supplied uninstaller to completely remove all. Rebooted to safe mode, confrimed Kaspersky was still off and dropped script to CF icon. Started as expected but indicated Spybot was still running. Rechecked with Control Panel\Program Files and showed no Spybot entries. Ran uninstaller in System Mechanic and it did not find any Spybot either. Closed all files and continued CF. Runtime a little over 10 minutes. CF automatically rebooted computer and went straight to Win7 normal mode. Took about 5 minutes for CF to finish and display report. Boot to Win7 normal was much faster than usual. File attached.

As for MBAM or other programs, I have no issues with disabling or removing them as needed.

Also have been using WD Passport as file backup device. Do not believe it was connected since a few days before the system failed to boot but not sure how to safely access it since the Security software missed the trojan the first time. Any advice on how to verify it is clean?

Additional post:

Tried to turn all of Kaspersky back on but "System Watcher" would not restart and message came up that the installation may be corrupted and needed to be re-installed. After ~ 15 minutes Kaspersky settings indicated System Watcher was running. Also showed a Windows32\Svchost.exe was in the Trusted Application list. I do not place any files in there so I removed it from the list. I hope this does not upset the work you have done so far. I deleted it without thinking or considering the time you have put in on my problem. I will remember to consult you before making any changes next time.

As a side note, before running CF, the Task Bar icon has indicated Kaspersky as paused (grayed out and only selection was resume which did not work) even though the GUI showed everything on; now shows that protection can be paused.

Regards,

Ron

ComboFix 15-02-16.01 - Ronald 02/22/2015 20:57:31.2.2 - x64 NETWORK

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3836.2995 [GMT -6:00]

Running from: c:\users\Ronald\Desktop\ComboFix.exe

Command switches used :: c:\users\Ronald\Desktop\CFScript.txt

AV: Kaspersky Internet Security *Disabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}

FW: Kaspersky Internet Security *Disabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}

SP: Kaspersky Internet Security *Disabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}

SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

FILE ::

"c:\program files (x86)\GUM4A96.tmp"

"c:\users\Ronald\AppData\Local\EmieBrowserModeList"

"c:\windows\system32\drivers\04B8056E.sys"

"c:\windows\system32\drivers\2388586E.sys"

"c:\windows\system32\drivers\33BC316B.sys"

"c:\windows\system32\drivers\36055B42.sys"

"c:\windows\system32\drivers\36B67A37.sys"

"c:\windows\system32\drivers\39F4697B.sys"

"c:\windows\system32\drivers\3A8A43D2.sys"

"c:\windows\system32\drivers\3FF50C32.sys"

"c:\windows\system32\drivers\49CA2A05.sys"

"c:\windows\system32\drivers\4B715396.sys"

"c:\windows\system32\drivers\4FE648C2.sys"

"c:\windows\system32\drivers\7B2131E4.sys"

"c:\windows\system32\drivers\7FAB6EAA.sys"

"c:\windows\system32\drivers\MBAMSwissArmy.sys"

"c:\windows\SysWow64\FlashPlayerApp.exe"

"c:\windows\SysWow64\FlashPlayerCPLApp.cpl"

"c:\windows\SysWow64\FlashPlayerInstaller.exe"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\drivers\04B8056E.sys

c:\windows\system32\drivers\2388586E.sys

c:\windows\system32\drivers\33BC316B.sys

c:\windows\system32\drivers\36055B42.sys

c:\windows\system32\drivers\36B67A37.sys

c:\windows\system32\drivers\39F4697B.sys

c:\windows\system32\drivers\3A8A43D2.sys

c:\windows\system32\drivers\3FF50C32.sys

c:\windows\system32\drivers\49CA2A05.sys

c:\windows\system32\drivers\4B715396.sys

c:\windows\system32\drivers\4FE648C2.sys

c:\windows\system32\drivers\7B2131E4.sys

c:\windows\system32\drivers\7FAB6EAA.sys

c:\windows\system32\drivers\MBAMSwissArmy.sys

c:\windows\SysWow64\FlashPlayerApp.exe

c:\windows\SysWow64\FlashPlayerCPLApp.cpl

c:\windows\SysWow64\FlashPlayerInstaller.exe

c:\windows\wininit.ini

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_MBAMSWISSARMY

-------\Service_MBAMSwissArmy

((((((((((((((((((((((((( Files Created from 2015-01-23 to 2015-02-23 )))))))))))))))))))))))))))))))

2015-02-23 03:06 . 2015-02-23 03:06 -------- d-----w- c:\users\Tommie\AppData\Local\temp

2015-02-23 03:06 . 2015-02-23 03:06 -------- d-----w- c:\users\owner\AppData\Local\temp

2015-02-23 03:06 . 2015-02-23 03:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2015-02-19 11:30 . 2015-02-23 02:37 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2

2015-02-19 11:20 . 2015-02-22 22:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy