Security > Analysis and Malware Removal

"GFI Software Anti MalWare Service has stopped working"

<< < (2/4) > >>

Sojourner:
And finally here is CHECKUP.TXT

 Results of screen317's Security Check version 0.99.41 
 Windows Vista Service Pack 2 x64 (UAC is disabled!) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
Lavasoft Ad-Aware                 
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Ad-Aware
 Java(TM) 7 Update 4 
 Adobe Flash Player 10 Flash Player out of date!
 Adobe Reader X (10.1.3)
 Mozilla Firefox 11.0 Firefox out of Date! 
 Mozilla Thunderbird (13.0.)
 Google Chrome 12.0.742.100 
 Google Chrome 12.0.742.91 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 AVG avgwdsvc.exe
 AVG avgtray.exe
 Utilities Ad-Aware Antivirus AdAwareService.exe 
 Utilities Ad-Aware Antivirus SBAMSvc.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````[/u]

Corrine:
Hi, Sojourner.

There is a CounterSpy driver installed on your computer.  I am wondering if it came with the Java update as I understand that the Java installer now provides a check-box for "Optional 3rd-Party Installations" --- without specifying (on that screen) what they are.  Previously, the installer would specify what was being offered, e.g., Google Toolbar.  As atieclxx.exe has been associated with malicious software, it is also possible that a rogue is using a legitimate driver.

That aside, you need to uninstall Ad-Aware since it is also an anti-virus software now.   

I would be negligent if I didn't warn you about uTorrent.   P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:

* Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
* Double-click ComboFix.exe on your desktop and follow the prompts.
* As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.


* Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
* When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


* After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


* Click "Yes" to continue scanning for malware.
* When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Sojourner:
uTorrent is rarely used and then only to download compressed text files - which are nonetheless aggressively scanned before being unpacked.  Except for being fired up to see if it could still get out even when the browsers are blocked, it hadn't been run at all in months.  It shares NO files and never has.

I don't use it to pirate software (there's plenty of open source stuff) or to pirate movies or songs (that's what Netflix and MOG are for, not to pirate, but to let me access music and videos).  I strongly doubt I picked this virus up from the GK Chesterton collection I downloaded from a torrent 9 months ago (at which time it was triple-scanned before it was ever even unpacked, then scanned again after unpacking).

At any rate - given AdAware has changed and since it also apparently silently installed leechware, it's been unistalled.  I guess I'll have to hunt up some other anti malware program that won't interfere with AVG.

Be back shortly with the latest results, thanks.

Sojourner:
K I had to run combofix twice - the first time it generated an empty log file.  I also got a notification that time that "Windows Defender" had crashed.

BTW I totally unistalled AVG as well - apparently AVG 2012 has no "exit program" option, only "temporarily disable scanning" - I feel it is far far safer to do this sort of thing with no virus processes loaded in memory at all, so to accomplish that apparently you have to actually uninstall the whole thing.  Or at least that was the quickest way to accomplish what I intended.  Anyway, both AdAware and AVG are gone at this point.

Here's the results of run #2:

ComboFix 12-06-15.06 - Sojourner 06/15/2012  18:18:10.2.8 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.6134.4332 [GMT -4:00]
Running from: c:\users\Sojourner\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2012-05-15 to 2012-06-15  )))))))))))))))))))))))))))))))
.
.
2012-06-15 22:23 . 2012-06-15 22:23   --------   d-----w-   c:\users\Sojourner\AppData\Local\temp
2012-06-15 22:23 . 2012-06-15 22:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-06-15 21:02 . 2012-06-15 21:02   --------   d-----w-   c:\users\Sojourner\.config
2012-06-15 20:47 . 2012-06-15 20:47   --------   d-----w-   c:\programdata\GFI Software
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Thunderbird
2012-06-14 16:31 . 2012-06-14 16:31   --------   d-----w-   c:\users\Sojourner\AppData\Local\Thunderbird
2012-06-14 05:23 . 2012-06-14 13:26   --------   d-----w-   c:\users\Sojourner\AppData\Roaming\Nico Mak Computing
2012-06-14 05:23 . 2011-11-10 14:33   18760   ----a-w-   c:\windows\system32\roboot64.exe
2012-06-14 05:23 . 2012-06-14 13:27   --------   d-----w-   c:\program files (x86)\WinZip Registry Optimizer
2012-06-14 05:20 . 2012-05-01 14:29   209920   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-06-14 05:20 . 2012-05-15 20:15   2767360   ----a-w-   c:\windows\system32\win32k.sys
2012-06-11 10:04 . 2012-06-11 10:04   --------   d-----w-   c:\program files (x86)\Dropbox
2012-06-09 16:21 . 2012-06-09 16:21   --------   d-----w-   c:\program files (x86)\MSXML 4.0
2012-06-08 07:40 . 2012-06-08 07:40   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2012-06-08 07:39 . 2012-06-08 07:39   129144   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-08 06:27 . 2012-06-08 06:30   --------   d-----w-   c:\users\Sojourner\AppData\Local\adawarebp
2012-06-06 08:56 . 2012-06-06 08:56   955848   ----a-w-   c:\windows\system32\npDeployJava1.dll
2012-06-06 08:56 . 2012-06-06 08:56   --------   d-----w-   c:\program files\Java
2012-06-03 07:07 . 2012-06-03 07:07   --------   d-----w-   c:\program files (x86)\Common Files\Java
2012-06-03 07:07 . 2012-06-03 07:06   772552   ----a-w-   c:\windows\SysWow64\npDeployJava1.dll
2012-05-31 09:39 . 2012-05-31 09:39   419488   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-08 07:39 . 2012-03-27 16:35   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2012-06-08 07:39 . 2012-03-27 16:35   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2012-06-06 08:56 . 2011-05-12 20:37   839112   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-03 07:06 . 2011-05-12 20:37   687560   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2012-05-31 09:39 . 2011-05-13 18:41   70304   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-19 00:56 . 2012-04-19 00:56   94208   ----a-w-   c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56   69632   ----a-w-   c:\windows\SysWow64\QuickTime.qts
2012-04-03 08:22 . 2012-05-10 01:35   4699520   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-30 12:45 . 2012-05-10 01:36   1423744   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:34 . 2012-05-10 01:35   72576   ----a-w-   c:\windows\system32\drivers\partmgr.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-06-15_21.35.55   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-06-15 21:37   53418              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-06-15 21:37   93264              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-13 15:24 . 2012-06-15 21:37   14226              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1474229224-1477735228-1670432976-1000_UserData.bin
- 2012-06-15 21:35 . 2012-06-15 21:35   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-15 22:24 . 2012-06-15 22:24   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-15 22:24 . 2012-06-15 22:24   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-15 21:35 . 2012-06-15 21:35   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-16 20:56 . 2012-06-15 22:23   270356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-05-16 20:56 . 2012-06-15 21:34   270356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-13 05:49 . 2012-06-15 22:23   37211955              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1474229224-1477735228-1670432976-1000-12288.dat
- 2011-06-13 05:49 . 2012-06-15 21:08   37211955              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1474229224-1477735228-1670432976-1000-12288.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]
2009-11-08 14:55   297808   ----a-w-   c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Spotify Web Helper"="c:\users\Sojourner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-14 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-03-22 74752]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\Media\Quicktime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-06-08 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\users\Sojourner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Sojourner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-6 27502520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-02-24 88576]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-06-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   97792   ----a-w-   c:\users\Sojourner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-02-24 6975520]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [BU]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 2244680]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 2206280]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Sojourner\AppData\Roaming\Mozilla\Firefox\Profiles\6ae0q1en.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://www.kingarthurflour.com/customerservice/promotions.html|http://www.jigidi.com/login.php|http://www.jigzone.com/|http://www.allexperts.com/expertx.cgi
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*
DÀ*
*ۆ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*
DÀ*
*ۆ\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*w*a*·¬£^\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1474229224-1477735228-1670432976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*w*a*9DÀ*<*ˆàRtÐ?Rt demux: access='file' demux='' path='c:\users\Sojourner\Desktop\My Files\Music\Singing Bowls\100 15 E Master.mp3'*þ„*
DÀ*
*ۆ]
@Allowed: (Read) (RestrictedCode)
"0"=hex:43,3a,5c,55,73,65,72,73,5c,53,6f,6a,6f,75,72,6e,65,72,5c,44,65,73,6b,
   74,6f,70,5c,4d,79,20,46,69,6c,65,73,5c,4d,75,73,69,63,5c,53,69,6e,67,69,6e,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-06-15  18:29:35 - machine was rebooted
ComboFix-quarantined-files.txt  2012-06-15 22:29
ComboFix2.txt  2012-06-15 21:41
.
Pre-Run: 268,020,228,096 bytes free
Post-Run: 268,607,688,704 bytes free
.
- - End Of File - - A5751155F197758F2C7CEEB8BA6DE675

Sojourner:
You said: "There is a CounterSpy driver installed on your computer. "

Well that explains where the GFI errors were coming from!  That's a defunct GFI product that was discontinued in May of 2011.

I still have no idea where it came from.

Navigation

[0] Message Index

[#] Next page

[*] Previous page