Vista Antivirus 2012
Started by
Kristi2565
, Dec 15 2011 04:40 PM
#16
Posted 20 December 2011 - 01:17 PM
#17
Posted 20 December 2011 - 01:42 PM
No I think you need to move the Combofix program to your desktop. I don't think a shortcut will work.
#18
Posted 20 December 2011 - 02:37 PM
ComboFix 11-12-16.02 - rhizogen 12/20/2011 13:21:47.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.1791.1290 [GMT -6:00]
Running from: c:\users\rhizogen\Downloads\ComboFix.exe
Command switches used :: c:\users\rhizogen\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk"
"c:\windows\System32\drivers\bofntmc.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ebxeq
-------\Service_McComponentHostService
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 19:38 . 2011-12-20 19:38 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 2942 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-12-20 19:27 . 2011-12-20 20:28 -------- d-----w- c:\users\rhizogen\AppData\Local\temp
2011-12-20 19:27 . 2011-12-20 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-19 15:07 . 2011-12-19 15:07 -------- d-----w- C:\_OTL
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\users\rhizogen\AppData\Roaming\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\programdata\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 21:14 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 15:06 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-15 17:23 . 2011-12-15 17:46 -------- d-----w- c:\windows\system32\sdtmp
2011-12-15 04:05 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 04:05 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-15 04:04 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 04:03 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 04:03 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 04:01 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 04:01 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 08:10 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9BB067C9-E1A7-46CA-BF50-F87E60497AB4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 11:49 . 2011-03-09 19:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 11:49 . 2011-03-09 19:59 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 11:49 . 2011-03-09 19:59 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 11:49 . 2011-03-09 19:59 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SmileboxTray"="c:\users\rhizogen\AppData\Roaming\Smilebox\SmileboxTray.exe" [2011-12-01 313160]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1282048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-07-11 73728]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2008-02-22 44168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2009-3-3 5742592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-10-07 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-09-17 180736]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2007-07-16 20504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=all&pf=cmdt
IE: Add to AVI Video Converter... - c:\program files\Media Player Utilities 4.29\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{25108261-8D72-49CC-80B9-4C97455452C0}: NameServer = 68.28.186.91,68.28.178.91
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\rhizogen\AppData\Roaming\Mozilla\Firefox\Profiles\6zgw1gw8.default\
FF - prefs.js: browser.search.selectedEngine - Inbox Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80179&language=en&qkw=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-12-20 14:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 20:34
ComboFix2.txt 2011-12-20 14:11
ComboFix3.txt 2011-12-19 17:55
ComboFix4.txt 2011-12-16 19:23
.
Pre-Run: 96,570,900,480 bytes free
Post-Run: 96,514,981,888 bytes free
.
- - End Of File - - FBB7903106DED989B0A4E3735E66FA6D
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.1791.1290 [GMT -6:00]
Running from: c:\users\rhizogen\Downloads\ComboFix.exe
Command switches used :: c:\users\rhizogen\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk"
"c:\windows\System32\drivers\bofntmc.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ebxeq
-------\Service_McComponentHostService
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 19:38 . 2011-12-20 19:38 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 2942 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-12-20 19:38 . 2011-12-20 19:38 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-12-20 19:27 . 2011-12-20 20:28 -------- d-----w- c:\users\rhizogen\AppData\Local\temp
2011-12-20 19:27 . 2011-12-20 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-19 15:07 . 2011-12-19 15:07 -------- d-----w- C:\_OTL
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\users\rhizogen\AppData\Roaming\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\programdata\Malwarebytes
2011-12-16 21:14 . 2011-12-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 21:14 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 15:06 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-15 17:23 . 2011-12-15 17:46 -------- d-----w- c:\windows\system32\sdtmp
2011-12-15 04:05 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-15 04:05 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-15 04:04 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 04:03 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 04:03 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 04:01 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 04:01 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 08:10 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9BB067C9-E1A7-46CA-BF50-F87E60497AB4}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 11:49 . 2011-03-09 19:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 11:49 . 2011-03-09 19:59 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 11:49 . 2011-03-09 19:59 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 11:49 . 2011-03-09 19:59 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SmileboxTray"="c:\users\rhizogen\AppData\Roaming\Smilebox\SmileboxTray.exe" [2011-12-01 313160]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1282048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-07-11 73728]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2008-02-22 44168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2009-3-3 5742592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-10-07 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-09-17 180736]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2007-07-16 20504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=all&pf=cmdt
IE: Add to AVI Video Converter... - c:\program files\Media Player Utilities 4.29\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{25108261-8D72-49CC-80B9-4C97455452C0}: NameServer = 68.28.186.91,68.28.178.91
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\rhizogen\AppData\Roaming\Mozilla\Firefox\Profiles\6zgw1gw8.default\
FF - prefs.js: browser.search.selectedEngine - Inbox Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80179&language=en&qkw=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-12-20 14:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 20:34
ComboFix2.txt 2011-12-20 14:11
ComboFix3.txt 2011-12-19 17:55
ComboFix4.txt 2011-12-16 19:23
.
Pre-Run: 96,570,900,480 bytes free
Post-Run: 96,514,981,888 bytes free
.
- - End Of File - - FBB7903106DED989B0A4E3735E66FA6D
#19
Posted 20 December 2011 - 03:46 PM
When I right click on "Computer" and then select "Manage" a window opens that has
Explorer.exe (top left corner)
Illegal operation attempted on registry key that has been marked for deletion.
Tried to do a screen shot but cannot open paint.
C:\windows\System32\mspaint.exe (top left corner)
Illegal operation attempted on registry key that has been marked for deletion.
Explorer.exe (top left corner)
Illegal operation attempted on registry key that has been marked for deletion.
Tried to do a screen shot but cannot open paint.
C:\windows\System32\mspaint.exe (top left corner)
Illegal operation attempted on registry key that has been marked for deletion.
#20
Posted 20 December 2011 - 03:48 PM
I am posting from my laptop. Cant get infected machine online.
#21
Posted 20 December 2011 - 03:56 PM
Is it still refusing to boot into regular mode? Are you still lacking Internet connection? (I assume you have tried Safe Mode with Networking?)
Did you install LogMeIn?
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:
everything that remains. Go to Startup tab and uncheck everything. OK and
reboot. If it doesn't run faster then go back into msconfig and recheck the
things you turned off. If it helps then go back and turn on a few items each
time until you find the culprit.)
attach the file \windows\logs\cbs\junk.txt to your next reply.
Did you install LogMeIn?
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:
sfc /scannow net start >> \junk.txt ipconfig /all >> \junk.txt netsh winsock show catalog >> \junk.txt notepad \junk.txt(Copy and Paste or Attach C:\junk.txt to your next Reply.)
msconfig(Go to Services tab and click on the box to hide Microsoft Services then uncheck
everything that remains. Go to Startup tab and uncheck everything. OK and
reboot. If it doesn't run faster then go back into msconfig and recheck the
things you turned off. If it helps then go back and turn on a few items each
time until you find the culprit.)
cd \windows\logs\cbs copy cbs.log cbs.old del cbs.log sfc /scannow findstr /c:"[SR]" cbs.log > junk.txt
attach the file \windows\logs\cbs\junk.txt to your next reply.
#22
Posted 20 December 2011 - 03:58 PM
The Illegal operation attempted on registry key that has been marked for deletion error should go away after a reboot.
#23
Posted 20 December 2011 - 04:02 PM
Still will only boot in safe mode. If I try to boot normally it gets to Vista password screen and doesnt give you time to type password before it starts the blue HP screen and then goes to the Safe mode screen. Can boot Safe with networking but cannot get on line.
#24
Posted 20 December 2011 - 04:06 PM
Trying to run Command prompt and getting the "The Illegal operation attempted on registry key that has been marked for deletion." error.
#25
Posted 20 December 2011 - 04:10 PM
Did you reboot?
#26
Posted 20 December 2011 - 04:11 PM
no. will do that now.
#27
Posted 20 December 2011 - 04:11 PM
Reboot is SAFE mode?
#28
Posted 20 December 2011 - 04:12 PM
Try regular mode first.
#29
Posted 20 December 2011 - 04:16 PM
normal boot not working trying safe with command prompt
#30
Posted 20 December 2011 - 04:17 PM
Ok. Got the command prompt at
C:\Windows\system32
C:\Windows\system32
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users