Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

TRO/ROOT KIT?

Started by DAV2 , Jan 09 2012 04:35 PM

Please log in to reply

#151
DAV2

Posted 09 February 2012 - 01:05 PM

Member

Topic Starter
Member
140 posts

The 2 UAC that happened most recently that I gave the wording on, happened while I was on the internet. I answered no to both and nothing noticeable happened. The Program Compatibility Box came up sometime and said I needed to download "FLASH.?ocx?, that was a "necessary" but "missing" part of Win. I also get messages on internet that I need to download "FLASH" in order to view the video, but I already have "FLASH" 11 installed and even if I download it again the download message remains. CCE of Com... quarantined the last "FLASH" that was unsigned and rearranged all the clusters on the computer. Win compatibility box has come up and placed Com... into compatibility mode, because Win said Com... would not run inside regular Win.
Yes, I deleted them and they are gone from Device manager, but they still are in error events as failed to load along with a new failed to load driver. That happened after the computer crashed on the reboot.

Edited by DAV2, 09 February 2012 - 01:09 PM.

#152
RKinner

Posted 09 February 2012 - 03:00 PM

Malware Expert

Expert
24,485 posts

Are the device drivers still in Events with new dates or are they left over from before?

Do you see the new errored driver in Device Manager?

What web site is asking you to download the flash file?

#153
DAV2

Posted 11 February 2012 - 06:23 PM

Member

Topic Starter
Member
140 posts

Ron, the drivers are hidden by Win, just like the directory files that are invisible. The drivers are unknown by unknown and are in unknown places, but Win says they are working just fine. The "sigverif" does not see them at all and claims all drivers are known. When uninstalled they are gone from device manager, but they are error reported as not loaded by events, along with a new unloaded driver, right after Win crashed.
Yes, just like the last 2 ,it is working properly yet does not load and is not seen by Sigverif. (another one of the invisible things of Win)
I do not think it is the same site all the time and I am now always responding no even if it does say it needs a missing but necessary part of Win that is completely updated. I also wish Win would stop putting the security software into compatibility mode and I wish that software would eliminate all of its "unknown" bugs before they release it.
Akamai is still getting data from the computer and from Word when I open/close a file.

#154
RKinner

Posted 12 February 2012 - 11:40 AM

Malware Expert

Expert
24,485 posts

If you go into regedit and navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\

can you see any of the strange drivers? If you find them just delete them.

Might have to go to a bootable CD registry editor like PC Regedit
from the link on the lower half of this page:
http://www.raymond.c...ing-in-windows/

I haven't tried on Win 7 yet but it should work.

#155
DAV2

Posted 13 February 2012 - 01:12 PM

Member

Topic Starter
Member
140 posts

Ron, thanks again. I did the regedit and deleted all the strange drivers, but others keep coming back. I uninstall and delete with regedit and others come back. The Trojans/viruses return to pagefile after delete with rescue disk and Win. The rescue disk will no longer connect to the net to do an update. Anything I can do to get it to connect as it did before? Anything I can do to stop all the strange drivers and Trojans/viruses from returning? Sigverif does not see any of the strange drivers, but device manager says that they are working just fine as unknown manufacturer and unknown location.

Edited by DAV2, 13 February 2012 - 01:23 PM.

#156
RKinner

Posted 13 February 2012 - 07:50 PM

Malware Expert

Expert
24,485 posts

Run Combofix and let's see what it says. Remember to turn off your anti-virus while downloading or running Combofix.

#157
DAV2

Posted 14 February 2012 - 07:56 AM

Member

Topic Starter
Member
140 posts

Ron, I found out that when Win makes a PNG file it makes a shortcut to it and then makes a shortcut to the shortcut. When I go to the picture it tries to load the shortcut to the shortcut, but can not find where it placed it and that is why it can not open the PNG files. Why it is designed to make a shortcut of a shortcut and misplace it is beyond me, but that is what it appears to be doing.
Combofix next.

Attached Thumbnails

#158
DAV2

Posted 14 February 2012 - 08:18 AM

Member

Topic Starter
Member
140 posts

Ron, I deleted all the strange drivers that "Sigverif" did not see and were by unknown and located in unknown, but were working just fine and showing up as failed to load in "Events" log.

ComboFix 12-02-13.01 - 396 02/14/2012 7:59.1.12 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16361.13563 [GMT -6:00]
Running from: c:\users\396\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\a
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-14 14:00 . 2012-02-14 14:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-14 13:20 . 2012-02-14 13:20 -------- d-----w- c:\program files (x86)\Microsoft ActiveSync
2012-02-12 17:54 . 2012-02-13 14:50 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-02-11 20:25 . 2012-02-11 20:25 -------- d-----w- C:\VritualRoot
2012-02-09 02:11 . 2012-02-09 02:11 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-02-09 02:10 . 2012-02-09 02:10 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-02-09 02:04 . 2012-02-09 02:04 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-09 02:04 . 2012-02-09 02:04 -------- d-----w- c:\windows\system32\Macromed
2012-02-09 02:03 . 2012-02-09 02:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-09 02:03 . 2012-02-09 02:03 -------- d-----w- c:\programdata\Malwarebytes
2012-02-09 02:03 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-09 01:56 . 2012-02-13 21:40 -------- d-----w- C:\DOWN
2012-02-09 01:36 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-02-09 01:36 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-09 01:36 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-02-09 01:36 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-09 01:36 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-02-09 01:15 . 2011-03-25 03:29 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2012-02-09 01:15 . 2011-03-25 03:29 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-02-09 01:15 . 2011-03-25 03:29 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2012-02-09 01:15 . 2011-03-25 03:29 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys
2012-02-09 01:15 . 2011-03-25 03:29 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2012-02-09 01:15 . 2011-03-25 03:29 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2012-02-09 01:15 . 2011-03-25 03:28 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
2012-02-09 01:14 . 2011-03-11 06:33 2565632 ----a-w- c:\windows\system32\esent.dll
2012-02-09 01:14 . 2011-03-11 06:30 96768 ----a-w- c:\windows\system32\fsutil.exe
2012-02-09 01:14 . 2011-03-11 06:41 189824 ----a-w- c:\windows\system32\drivers\storport.sys
2012-02-09 01:14 . 2011-03-11 06:41 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
2012-02-09 01:14 . 2011-03-11 06:41 1659776 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-02-09 01:14 . 2011-03-11 06:41 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
2012-02-09 01:14 . 2011-03-11 06:41 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2012-02-09 01:14 . 2011-03-11 06:41 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
2012-02-09 01:14 . 2011-03-11 06:41 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
2012-02-09 01:14 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\SysWow64\esent.dll
2012-02-09 01:14 . 2011-03-11 05:31 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
2012-02-09 01:12 . 2012-02-09 01:12 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-02-09 00:47 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-02-09 00:44 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-02-09 00:43 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-09 00:43 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-02-09 00:43 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-02-09 00:43 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2012-02-09 00:43 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-02-09 00:43 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-02-09 00:43 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2012-02-09 00:43 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-02-09 00:43 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-02-09 00:43 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-02-08 22:47 . 2012-02-14 01:35 -------- d-----w- c:\programdata\CPA_VA
2012-02-08 22:41 . 2012-02-08 23:02 -------- d-----w- c:\programdata\Comodo
2012-02-08 22:41 . 2012-02-08 22:41 -------- d-----w- c:\program files\COMODO
2012-02-08 22:41 . 2012-02-08 22:41 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-02-08 22:41 . 2012-02-08 22:41 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-02-08 22:41 . 2012-02-08 22:41 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2012-02-08 22:41 . 2012-02-08 22:41 -------- d-----w- c:\program files (x86)\Comodo
2012-02-08 20:33 . 2012-02-08 18:41 -------- d-----w- c:\windows\Panther
2012-02-08 19:57 . 2012-02-08 19:57 -------- d-----w- c:\windows\system32\SPReview
2012-02-08 19:44 . 2010-11-20 11:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
2012-02-08 19:44 . 2010-11-20 10:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2012-02-08 19:44 . 2010-11-20 11:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2012-02-08 19:44 . 2010-11-20 11:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2012-02-08 19:35 . 2012-02-08 19:35 -------- d-----w- c:\windows\system32\EventProviders
2012-02-08 19:19 . 2011-06-29 16:51 171688 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2012-02-08 19:19 . 2012-02-08 19:19 -------- d-----w- c:\program files\Intel
2012-02-08 19:12 . 2012-02-08 19:12 -------- d-----w- c:\programdata\ASUS OC Profiles
2012-02-08 19:08 . 2012-02-09 02:30 -------- d-----w- c:\programdata\WinZip
2012-02-08 19:04 . 2012-02-08 19:04 -------- d-----w- c:\program files\ASUS
2012-02-08 19:02 . 2009-07-14 06:21 1721576 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2012-02-08 19:02 . 2012-02-08 19:02 -------- d-----w- c:\windows\SysWow64\Macromed
2012-02-08 18:59 . 2008-12-03 02:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
2012-02-08 18:59 . 2012-02-08 19:04 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2012-02-08 18:59 . 2012-02-08 18:59 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2012-02-08 18:58 . 2012-02-08 18:58 -------- d-----w- c:\programdata\ASUS
2012-02-08 18:58 . 2012-02-08 19:01 -------- d-----w- c:\program files (x86)\ASUS
2012-02-08 18:58 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
2012-02-08 18:58 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
2012-02-08 18:58 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
2012-02-08 18:57 . 2011-07-20 01:37 342704 ----a-w- c:\windows\system32\drivers\e1c62x64.sys
2012-02-08 18:57 . 2011-06-29 17:13 68264 ----a-w- c:\windows\system32\e1cmsg.dll
2012-02-08 18:57 . 2009-05-26 02:05 36472 ----a-w- c:\windows\system32\NicCo36.dll
2012-02-08 18:57 . 2011-06-15 17:02 98496 ----a-w- c:\windows\system32\NicInstC.dll
2012-02-08 18:54 . 2012-02-08 18:54 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2012-02-08 18:52 . 2012-02-08 18:52 -------- d-----w- c:\program files (x86)\ASM106xSATA
2012-02-08 18:51 . 2012-02-08 18:51 16896 ----a-w- c:\windows\AsTaskSched.dll
2012-02-08 18:50 . 2012-02-08 19:03 -------- d-----w- c:\program files (x86)\Intel
2012-02-08 18:50 . 2011-07-29 05:54 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2012-02-08 18:50 . 2012-02-08 18:50 -------- d-----w- C:\Intel
2012-02-08 18:49 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-02-08 18:46 . 2012-02-08 18:46 0 ----a-w- c:\windows\ativpsrm.bin
2012-02-08 18:45 . 2011-05-25 03:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-08 18:45 . 2011-05-25 02:19 58880 ----a-w- c:\windows\system32\coinst.dll
2012-02-08 18:45 . 2012-02-08 18:45 -------- d-----w- c:\program files (x86)\ATI Technologies
2012-02-08 18:45 . 2012-02-14 13:34 -------- d-sh--w- c:\windows\Installer
2012-02-08 18:45 . 2012-02-08 18:45 -------- d-----w- c:\program files\ATI
2012-02-08 18:44 . 2012-02-08 18:44 -------- d-----w- c:\program files\ATI Technologies
2012-02-08 18:41 . 2012-02-08 18:41 -------- d-----w- c:\users\396
2012-02-08 18:41 . 2012-02-08 18:41 -------- d-----w- C:\Recovery
2012-01-18 03:00 . 2012-01-18 03:00 577824 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 19:55 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-02-08 19:55 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-12-20 00:59 . 2011-12-20 00:59 93200 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-20 00:59 . 2011-12-20 00:59 43248 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-20 00:59 . 2011-12-20 00:59 22696 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-20 00:58 . 2011-12-20 00:58 41200 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-20 00:58 . 2011-12-20 00:58 389840 ----a-w- c:\windows\system32\guard64.dll
2011-12-20 00:58 . 2011-12-20 00:58 301224 ----a-w- c:\windows\SysWow64\guard32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.16\atkexComSvc.exe [2011-08-09 918144]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.15\aaHMSvc.exe [2011-08-09 947328]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]
S2 AsusFanControlService;AsusFanControlService;c:\program files (x86)\ASUS\AsusFanControlService\1.00.07\AsusFanControlService.exe [2011-09-20 1406080]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2012-02-13 404728]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys [x]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 9454920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
c:\program files (x86)\ASUS\AI Suite II\DIGI+ Power Control\PowerControlHelp.exe
c:\program files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
c:\program files (x86)\ASUS\AI Suite II\AI Suite II.exe
c:\program files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
.
**************************************************************************
.
Completion time: 2012-02-14 08:04:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 14:04
.
Pre-Run: 1,945,837,166,592 bytes free
Post-Run: 1,945,529,606,144 bytes free
.
- - End Of File - - 9F97F148E10206C1C59F69C74ED27751

#159
RKinner

Posted 14 February 2012 - 09:32 AM

Malware Expert

Expert
24,485 posts

no sign of your strange drivers now in the combofix log. Are you still getting them?

What program are you using to create the .png files? I made one with Paint and it just created the file.

Ron

#160
DAV2

Posted 14 February 2012 - 12:58 PM

Member

Topic Starter
Member
140 posts

Ron, thanks. The last strange driver popped up yesterday and I uninstalled it and removed it from registry as you instructed. I guess Win deletes them automatically, because I can not find them any more.

I am still deleting Trojans/viruses from the pagefile.
Params: C:\ D:\ E:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
E:\pagefile.sys INFECTED: Win32:FakeVimes-B [Trj]
E:\Users\396\Downloads\mbam--setup-1.60.1.1000.exe\{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 320557
;Folders: 41705
;Files size: 108652911200
;Infected files: 2
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******
;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\pagefile.sys DELETE OK 1 0
E:\pagefile.sys DELETE OK 1 0

I just do screen captures of/by Win of real time screens, like these with the snipping tool. (yes the 970.34% net annual rate of return was on the low side for that real time screen shot.).

Since I ordered genuine Win software from China and it came shipped from Langley Va., I just wanted to make sure that this was the way all Win works and nothing funny was happening with my genuine validated copies. (Still do not like the unwanted connection/transfer to Akamai.)

Comodo crashed for the third time with this load, but I guess that is just how Win works. I will plead with Comodo to fix their program, so far to no avail, just like all the pleading with Win to fix Win has gone nowhere to date.

Any other suggestions to keep Win working longer than a few weeks, so I can get back to playing real world games of making money on a secure computer instead of useless kid games and watching movies all free with free hacked Win software like others?

Attached Thumbnails

Edited by DAV2, 14 February 2012 - 01:06 PM.

#161
RKinner

Posted 14 February 2012 - 07:44 PM

Malware Expert

Expert
24,485 posts

Since I ordered genuine Win software from China and it came shipped from Langley Va.,

Don't understand what this genuine Win software is supposed to be. Pretty sure genuine Windows 7 would not be coming from China. Are you sure you don't have counterfeit software?

http://www.microsoft....aspx#Packaging

#162
DAV2

Posted 15 February 2012 - 08:27 AM

Member

Topic Starter
Member
140 posts

Ron, thanks for your concern, but it is genuine holographic and verified by MS. It scans clean by Mbam, MS, Comodo, Avast, Defender, Essentials and etc. MS has looked real time into the computer along with Mca..., and Com... technicians and certified it as correctly running verified software. It just does not function and that has been verified over and over again. Yes, the seller of some of it has sales from China (after all MS shared the Win source code with China years ago), but it shipped from Langley, Virginia and Ohio, USA. (I just went with the cheapest source.) I am fairly sure it is not counterfeit. (7.1 Disk came right from MS) My main concern was security and having secure computers to do the multi million dollar international Forex trading. This all started right after I broke what I call the bounce code of the international/market movers and who knows what resources that entails. I just need secure computers to do the trades. I do not intend to play kids games or watch movies. I have been able to achieve well north of 100% net returns in all tested markets so far , but the computers systematically disintegrate as soon as I begin the trading in earnest. Just need help in keeping them functioning. Thanks for all your help so far. (Is there any way to be sure that the security router is blocking all the China/Russia/ect. attacks that are showered on it daily? My hacker friend says not to worry, because it is.)

#163
DAV2

Posted 15 February 2012 - 11:12 AM

Member

Topic Starter
Member
140 posts

Ron, it happened again. WinWord would not let me save a document until I allowed it to connect to " 23.3.68.104 " Akamai in Cambridge. Then as soon as I allowed the connection to 23.3.68.104 Comodo crashed for the fourth time. What is the best way to stop this? Thanks.

#164
RKinner

Posted 15 February 2012 - 11:24 AM

Malware Expert

Expert
24,485 posts

Sounds like a MacroVirus.

Close Word. Do a search for all files (hidden and System) called normal.dot or normal.dotx and rename them to anormal.dot or anormal.dotx.
I no longer use Word so going by memory here so the instructions are a bit vague:
Open Word by using Programs, Office, Word or by clicking directly on winword.exe. Do not open an existing document. Go into Tools and tell it to
a. Prompt when saving the global template.

b. Set it to not run Macros. (Highest security)

Close word. Agree to save the template.

Now open the word doc that wouldn't save. Does it complain about macros?

Ron

#165
DAV2

Posted 15 February 2012 - 12:25 PM

Member

Topic Starter
Member
140 posts

Ron, thanks. I renamed normal and tried to do as you suggested, but Word said that changes have been made that affect the "Global template" do you want to save these changes? I answered Yes. (BTW: I am not a hacker/programmer at all. I just am lucky/good at reverse engineering.)
I noticed from the log that NETFRAMEWORK likes to connect to 23.3.68.144 and Word said it wanted to connect to 23.3.68.104 with a macro that was digitally signed by "MS" but had expired. Is this just all normal for Win?
When I click on disable macros Word wants to connect to 23.3.68.113.if I answer no it wants to connect to 23.3.68.114 and if I answer no it will not proceed. Ok, a few more clicks and it finally let me proceed, but it took a few minutes.

Edited by DAV2, 15 February 2012 - 12:38 PM.