26 replies to this topic

[Jo*]

Hi SkinnyTex,
 

I am unable to remove Java in safe mode. A normal boot hangs up when I attempt to open the applet "Add or Remove Programs" from the control panel. The screen attempts to load a list of programs but then stops. How do I proceed from here?

Are there other problems, when the pc runs in normal mode?

I've noticed earlier, that you ran Malwarebytes Anti-Rootkit in safe mode. Why?
 

***

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Enable your antivirus!
 

***

[SkinnyTex]

Jo,

I ran in safe mode because normal mode kept locking up on me.  I have run combofix.  Here is the text file:

 

 

ComboFix 13-12-31.01 - Admin John 12/31/2013 15:21:34.5.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.578 [GMT -6:00]
Running from: c:\documents and settings\Admin John\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\EventSystem.log
c:\windows\system32\Cache
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\31f13b2dfd363341.fb
c:\windows\system32\Cache\48aff3425bcdc478.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\6682bfb32dea0442.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\8c91d1e3ffca299b.fb
c:\windows\system32\Cache\945d628c2b01668b.fb
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\ba22977aa471cee3.fb
c:\windows\system32\Cache\d56fa87d33ed7412.fb
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\eb819070ae08d3a0.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f34d8db84131d925.fb
.
.
((((((((((((((((((((((((( Files Created from 2013-11-28 to 2013-12-31 )))))))))))))))))))))))))))))))
.
.
2013-12-29 13:05 . 2013-12-29 13:05 -------- d-----w- c:\documents and settings\Admin John\Local Settings\Application Data\FileTypeAssistant
2013-12-27 17:30 . 2013-12-28 20:13 -------- d-----w- C:\AdwCleaner
2013-12-27 17:04 . 2013-12-27 17:04 -------- d-----w- c:\documents and settings\Admin John\.android
2013-12-27 17:03 . 2013-12-27 17:06 -------- d-----w- c:\documents and settings\Admin John\Local Settings\Application Data\cache
2013-12-27 17:03 . 2013-12-27 17:50 -------- d-----w- c:\documents and settings\Admin John\Application Data\newnext.me
2013-12-27 17:03 . 2013-12-27 17:03 -------- d-----w- c:\documents and settings\Admin John\Local Settings\Application Data\genienext
2013-12-27 17:00 . 2013-12-27 17:00 -------- d-----w- c:\documents and settings\Admin John\Application Data\DigitalSites
2013-12-27 16:46 . 2013-09-30 15:53 632656 ----a-w- c:\windows\system32\msvcr80.dll
2013-12-27 16:46 . 2013-09-30 15:53 554832 ----a-w- c:\windows\system32\msvcp80.dll
2013-12-27 16:46 . 2013-09-30 15:53 479232 ----a-w- c:\windows\system32\msvcm80.dll
2013-12-27 15:28 . 2013-12-27 22:13 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-27 15:25 . 2013-12-27 22:13 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-26 21:09 . 2013-12-26 21:09 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2013-12-26 21:09 . 2013-12-26 21:09 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2013-12-26 21:09 . 2013-12-26 21:09 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2013-12-26 21:09 . 2013-12-26 21:09 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2013-12-26 21:09 . 2013-12-26 21:09 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2013-12-26 21:08 . 2013-12-26 21:09 -------- d-----w- c:\program files\QuickTime
2013-12-26 19:44 . 2013-12-26 19:44 -------- d-----w- c:\documents and settings\Admin John\Application Data\Netgear Live Parental Controls
2013-12-26 19:43 . 2013-12-26 19:43 -------- d-----w- c:\program files\NETGEAR Live Parental Controls Management Utility
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-12-26 20:42 . 2012-04-01 17:40 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-12-26 20:42 . 2011-07-16 23:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-11-13 02:59 . 2004-08-04 12:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-08-04 12:00 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2011-07-13 07:20 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2004-08-04 12:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-23 23:45 . 2004-08-04 12:00 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-12 15:56 . 2004-08-04 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2004-08-04 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2004-08-04 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2012-10-24 17:50 . 2012-11-03 18:48 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-07-26 15:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-07-26 15:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-07-26 15:03 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 21:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 21:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin John^Start Menu^Programs^Startup^StrongVaultApp.lnk]
path=c:\documents and settings\Admin John\Start Menu\Programs\Startup\StrongVaultApp.lnk
backup=c:\windows\pss\StrongVaultApp.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk
backup=c:\windows\pss\ActivClient Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2009-06-03 21:13 400936 ----a-w- c:\program files\ActivIdentity\ActivClient\accrdsub.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acevents]
2009-06-03 21:16 153640 ----a-w- c:\program files\ActivIdentity\ActivClient\acevents.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-05-11 10:37 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 06:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-14 01:51 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSDAppUpdater]
2012-09-15 16:39 1660232 ----a-w- c:\program files\Common Files\BSD\AppUpdater\BSDChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-03-25 01:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-04-02 14:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2012-07-26 15:03 1061960 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 19:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 17:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-02-25 16:29 1626112 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 09:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-05-16 18:39 16862720 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-11-09 17:27 17877168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 14:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vToolbarUpdater15.2.0"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
"ac.sharedstore"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IJPLMSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WinkHandler"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CarboniteService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\File Type Assistant\\tsassist.exe"=
"c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;aswRvrt; [x]
R0 aswVmm;aswVmm; [x]
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-05-09 66336]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
R3 EZUSB;EZUSB PC/SC Smart Card Reader;c:\windows\system32\DRIVERS\ezusb.sys [2008-06-04 63288]
R4 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
R4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-11-09 160944]
R4 WinkHandler;WinkHandler;c:\program files\Iminent\WinkHandler.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-12-05 06:35 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 20:42]
.
2013-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-12-31 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-06-12 08:58]
.
2013-12-30 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2012-06-17 19:24]
.
2013-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-01 17:25]
.
2013-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-01 17:25]
.
2013-12-31 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2012-06-17 03:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
Trusted Zone: army.mil\owa.usar
Trusted Zone: militarycac.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{22F63F00-D528-4F14-961C-C58086687AB1}: NameServer = 50.7.75.35,76.73.7.74
TCP: Interfaces\{CF2C4811-4F7B-4420-9EF8-1374BACB62B6}: NameServer = 50.7.75.35,76.73.7.74
FF - ProfilePath - c:\documents and settings\Admin John\Application Data\Mozilla\Firefox\Profiles\z9680u01.default\
FF - prefs.js: keyword.URL -
FF - ExtSQL: 2013-12-26 13:39; webbooster@iminent.com; c:\documents and settings\Admin John\Application Data\Mozilla\Firefox\Profiles\z9680u01.default\extensions\webbooster@iminent.com.xpi
FF - ExtSQL: !HIDDEN! 2012-10-14 08:50; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; c:\program files\Searchqu Toolbar\Datamngr\FirefoxExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Google Update - c:\documents and settings\Admin John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-vProt - c:\program files\AVG SafeGuard toolbar\vprot.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-31 15:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\NTMARTA.DLL
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
Completion time: 2013-12-31 15:50:29
ComboFix-quarantined-files.txt 2013-12-31 21:50
ComboFix2.txt 2013-06-10 00:00
ComboFix3.txt 2013-06-01 19:22
ComboFix4.txt 2013-06-01 17:13
ComboFix5.txt 2013-12-31 21:13
.
Pre-Run: 226,590,031,872 bytes free
Post-Run: 227,867,119,616 bytes free
.
- - End Of File - - D95A2663411B2F77C6790F674BCDA958
8F558EB6672622401DA993E1E865C861

[Jo*]

Hi SkinnyTex,

is your Hard Drive a SSD?

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  

  :OTL
  HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\lwoofer@lyricswoofer.co: C:\Program Files\LyricsWoofer\116.xpi
  [2013/06/01 13:37:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin John\Application Data\Mozilla\Firefox\Profiles\z9680u01.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
  PRC - C:\Program Files\Iminent\WinkHandler.exe ()
  
  :Files
  C:\Program Files\LyricsWoofer
  C:\Program Files\Iminent
  c:\program files\Searchqu Toolbar\Datamngr\FirefoxExtension
  c:\documents and settings\Admin John\Application Data\Mozilla\Firefox\Profiles\z9680u01.default\extensions\webbooster@iminent.com.xpi
  
  :Commands
  [purity]
  [emptytemp]
  

  
  NOTICE: This script was written specifically for this user, for use on that particular machine.
  Running this on another machine may cause damage to your operating system.
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post Fix OTL log as well as a new OTL log by rerunning it after reboot without custom scans script.

How the computer is running now in normal mode?

Try to uninstall old Java versions again in normal mode. Does it work now?

***

[SkinnyTex]

Jo, I am not able to boot in normal mode.  No icons or start button load to my screen.  The boot just hangs up.  Can I run this script in safe mode?  Thank you for your help. Is there any hope of cleaning up this computer so it will be useful again?  I feel discouraged.  This is harder than I would like it to be.  I won't give up if you promise not to give up either.  Let me know what to do next please.

[SkinnyTex]

Jo, my computer is an "eMachine" brand desktop computer, about 6 years old and it has a HDD, not a solid-state disk drive.  Thanks again for your help.

[Jo*]

Hi SkinnyTex,

your problems with normal mode are not caused by malware.
It may take a longer time to repair this pc!

You can start a new topic at our Windows section:
Link

Or go on with me:

***

Download Farbar Recovery Scan Tool 32-Bit
and save it to a flash drive.

Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options
  appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not
  configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

Select Command Prompt

• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type
  e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

***

Try to run the pc in normal mode.

On your desktop:
Now please go to the MBAR folder and then run the "fixdamage.exe" tool that's inside the mbar\plugins folder.

[Jo*]

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Threads will be closed if no response after 3 days.

[SkinnyTex]

Jo, I am not sure what happened but a reply I posted did not show up. I will attempt to perform these actions tonight but am concerned that I may not have an installation disc with my OS on it. I will respond within 24 hours and let you know what I am able to accomplish. Thank you.

[SkinnyTex]

Jo,

 

I downloaded the FRST and placed it on a thumb drive but then was not able to complete your instructions beyond that.  Here is where I had to stop:

 

Enter System Recovery Options  - I was not able to do this from the Advanced Boot Options. Even though I was pressing the F8 key I did not see that option.  I did access the Setup when I booted from the CD.  

"This portion of the Setup program prepares Microsoft Windows XP to run on your computer"

- To set up windows XP now, press Enter (Jo, I did not press enter)

- To repair a Windows SP Installation using recovery console, press R (I pressed R Jo)

 

When I pressed Enter, I saw a DOS window open.  The Windows Recover COnsole opened.

"The Recover Console provides system repair and recovery functionality

1: C:\Windows"

 

I entered the digit 1 (one) and hit Enter.

 

I was left at the DOS prompt.

 

What can I do next, Jo?

[Jo*]

Hi SkinnyTex,

it wood be a good idea to backup all your data before we go on!

On some computers the F8 key does not work as described by me.

F5 or F12 can be the assigned key as well.

Try using the F5 or F12 key when starting the pc.
Post results here.

Another possible key is F11.
But F11 sometimes starts a reformat, not likely as you're running XP.
Be careful! In doubt don't do it.

[Jo*]

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Threads will be closed if no response after 3 days.

[CatByte]

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic