1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows Update Error 8024402F

Discussion in 'Virus & Other Malware Removal' started by peppero123, Oct 22, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    That icon is odd, it appears to be the Internet Options, go into Control Panel and see if Internet Options is still there, click on it and it should show the same window as the desktop icon. If it does then right click on the desktop icon and select Delete, then just check back in Control Panel and make sure the Internet Options still works from there.

    Please run this to see if there is anything that needs updating.

    Download Security Check by screen317 from Here or Here.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Once we have dealt with anything that needs updating we can then clean up the tools used, please wait for the instructions.
     
  2. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    I deleted the icon and internet options is still there in control panel.
    below is my log:

    Results of screen317's Security Check version 0.99.53
    Windows Vista Service Pack 2 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java 7 Update 9
    Adobe Flash Player 11.4.402.287
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox 12.0 Firefox out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    AVG avgwdsvc.exe
    AVG avgtray.exe
    Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````
     
  3. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    There are remnants of Ad-Aware still in the system, please run this to locate the files.

    Please download SystemLook from one of the links below and save it to your Desktop.



    • Double-click SystemLook.exe to run it.
    • Vista/Windows 7 users right-click and select Run As Administrator.
    • Copy and paste everything in the codebox below into the main textfield:
      Code:
      :filefind
      AAWService.exe
      AAWTray.exe
    • Click the Look button to start the scan.
    • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
    • Please copy and paste the contents of that log in your next reply.
     
  4. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    Here is the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 11:27 on 30/10/2012 by Cecilia
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "AAWService.exe"
    No files found.

    Searching for "AAWTray.exe"
    No files found.

    -= EOF =-
     
  5. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Ok, we need to do a deeper search, run SystemLook again, copy and paste the following into the textfield.

    Code:
    :service
    AAWService
    AAWTray
    
    :regfind
    AAWService
    AAWTray
    
    :process
    AAWService
    AAWTray
     
  6. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    here is the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 22:39 on 30/10/2012 by Cecilia
    Administrator - Elevation successful

    ========== service ==========

    AAWService - Unable to open Service Handle.

    AAWTray - Unable to open Service Handle.

    ========== regfind ==========

    Searching for "AAWService"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AB92E0DBE815F7459E06CA5C1256D3F]
    "B0B35DEDC76B4424EAA66DDFC3821DFE"="C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe"

    Searching for "AAWTray"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2279B436E7E84884A82093837C669AF3]
    "B0B35DEDC76B4424EAA66DDFC3821DFE"="C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"

    ========== process ==========

    AAWService - Unable to open process handle.

    AAWTray - Unable to open process handle.

    -= EOF =-
     
  7. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Did you follow the instructions I gave to uninstall Ad-Aware in post 2? If not please do so.

    Look in C:\Program Files and see if a folder called Lavasoft is present.
     
  8. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    I did follow those initial instructions - after uninstalling, I found no folders to delete

    There is no folder called Lavasoft in C:\Program Files
     
  9. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    All we need to do then is remove the registry entries, please post the log when done so I can check it and we can then finish the clean up.


    We are now going to run ComboFix a different way.

    Open Notepad by clicking on [​IMG] and in the Search box type: Notepad.exe and hit Enter.
    Copy and paste everything in the code box below into it.
    -- Note: Make sure Word Wrap is unchecked in Notepad by clicking on Format in the top menu.

    Code:
    KillAll::
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\User  Data\S-1-5-18\Components\6AB92E0DBE815F7459E06CA5C1256D3F]
    "B0B35DEDC76B4424EAA66DDFC3821DFE"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\User  Data\S-1-5-18\Components\2279B436E7E84884A82093837C669AF3]
    "B0B35DEDC76B4424EAA66DDFC3821DFE"=-
    
    ClearJavaCache::
    
    Reboot::
    
    • Save the file as CFScript.txt by choosing Save As... in the File Menu, and save it to your Desktop where the ComboFix icon is also located.
    • Close your browser and disconnect from the Internet.
    • Now use your mouse to drag, then drop the CFScript.txt file on top of ComboFix.exe as seen in the image below.

      [​IMG]
    • This will start ComboFix again and launch the script.
    • ComboFix may reboot your system when it finishes. This is normal.
    • A log will be created just as before and saved to C:\ComboFix.txt. Please copy and paste the contents of ComboFix.txt in your next reply.
    • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
    • NOTE: if you see a message like this when you attempt to open anything after the reboot "Illegal Operation attempted on a registry key that has been marked for deletion" please reboot the system again and the warning should not return.
     
  10. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    I had to re-download Combofix as it said it was expired. Below is the log:

    ComboFix 12-10-30.03 - Cecilia 31/10/2012 15:15:28.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.3837.2200 [GMT 13:00]
    Running from: c:\users\Cecilia\Desktop\ComboFix.exe
    Command switches used :: c:\users\Cecilia\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-31 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-26 22:10 . 2012-10-26 22:10 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2012-10-26 22:10 . 2012-10-26 22:10 -------- d-----r- c:\program files (x86)\Skype
    2012-10-26 21:38 . 2012-08-29 11:40 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-10-26 21:38 . 2012-09-13 13:45 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-10-26 21:38 . 2012-09-13 13:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2012-10-26 21:36 . 2012-06-04 15:29 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-10-26 21:36 . 2012-06-02 00:22 347136 ----a-w- c:\windows\system32\schannel.dll
    2012-10-26 21:36 . 2012-06-02 00:22 254464 ----a-w- c:\windows\system32\ncrypt.dll
    2012-10-26 21:36 . 2012-06-02 00:05 77312 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-10-26 21:36 . 2012-06-02 00:04 278528 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-10-26 21:36 . 2012-06-02 00:03 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-10-24 08:42 . 2012-10-24 08:42 -------- d-----w- c:\users\Cecilia\AppData\Roaming\f-secure
    2012-10-24 08:42 . 2012-10-24 08:42 -------- d-----w- c:\programdata\F-Secure
    2012-10-24 08:20 . 2012-10-24 08:20 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-10-24 08:18 . 2012-10-24 08:18 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-10-24 08:18 . 2012-10-24 08:18 -------- d-----w- c:\program files (x86)\Java
    2012-10-23 21:49 . 2012-10-23 21:49 -------- d-----w- c:\program files (x86)\ESET
    2012-10-22 06:16 . 2012-10-22 06:16 -------- d-----w- c:\users\Cecilia\AppData\Local\ElevatedDiagnostics
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-24 08:18 . 2010-06-15 08:16 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-10-23 09:37 . 2012-05-22 10:21 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-23 09:37 . 2012-05-22 10:21 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-09-29 06:54 . 2010-01-07 08:35 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-27 11:18 . 2006-11-02 12:35 65309168 ----a-w- c:\windows\system32\mrt.exe
    2012-08-28 08:24 . 2012-06-22 02:22 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-08-24 03:43 . 2012-08-24 03:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "TWebCamera"="%ProgramFiles(x86)%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
    "HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2007-04-16 422400]
    "SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2008-11-21 438272]
    "KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-22 61440]
    "NDSTray.exe"="c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
    "cfFncEnabler.exe"="c:\program files (x86)\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2009-04-10 37888]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-30 2596984]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 05:18]
    .
    2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-14 05:18]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
    "HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
    "SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
    "00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-31 7574048]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-31 1833504]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1716008]
    "SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1123840]
    "TPCHWMsg"="c:\program files (x86)\TOSHIBA\TPHM\TPCHWMsg.exe" [BU]
    "Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &Download by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/202
    IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: microsoft.com\*.update
    Trusted Zone: windowsupdate.com\download
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{C89ADDAC-D084-4E81-B497-272CE53A6ECA}: NameServer = 4.2.2.1,4.2.2.2
    FF - ProfilePath - c:\users\Cecilia\AppData\Roaming\Mozilla\Firefox\Profiles\vsvwhchv.default\
    FF - ExtSQL: !HIDDEN! 2009-08-27 13:21; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{081230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2360693011-95739600-3344491481-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*A~Ôš-N‡eW[U^]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-2360693011-95739600-3344491481-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*A~Ôš-N‡eW[U^\OpenWithList]
    @Class="Shell"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.9"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:00000009
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    .
    **************************************************************************
    .
    Completion time: 2012-10-31 15:35:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-10-31 02:35
    ComboFix2.txt 2012-10-24 22:31
    .
    Pre-Run: 137,068,539,904 bytes free
    Post-Run: 136,853,807,104 bytes free
    .
    - - End Of File - - 23F83B0B610BD532DE9D29610F9613A8
     
  11. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Now we just need to update a couple of items and remove all the tools used.

    STEP 1
    Adobe
    Close any programs you may have running - especially your web browser.
    Click on Start [​IMG] > Control Panel, double-click on Programs and Features and uninstall the following Adobe entries:

    Adobe Reader 9

    NOTE: For XP click on [​IMG] > Control Panel, double-click on Add or Remove Programs and continue as above.

    Then go to this link Adobe Downloads and select the latest version to download and install. You will see this page below, click on the appropriate button for for the Adobe product that was just removed.

    [​IMG]

    You will now see a page similar to this one:

    [​IMG]

    All four Adobe products, Reader, Flash Player, Air and Shockwave Player are set by default to download the version for Windows Operating Systems and for Internet Explorer in English. If you are using a Macintosh, or you want to use the Adobe product with a different Browser or language you must click on the line (as indicated in the above image) to make further selections to meet your requirements.

    As you will see in the above image the Adobe Reader is set for Windows 7, please click (as indicated) if you are using a different version of Windows to make further selections. All the other Adobe products are universal and you will only need to change the selection for different Browsers, Languages or for Macintosh.
    NOTE: In all the downloads look out for the Google Toolbar and uncheck the box if you do not need it.

    Some additional instructions may appear for XP installations. In all cases save the download to your desktop, then close your browser and double click on the Adobe icon on your desktop to install it. If you have any problems installing, disconnect from the internet and disable your Anti Virus and any other security software, instructions for most AV's, etc. can be found here: How to disable security software.


    STEP 2
    Your version of Firefox is out of date, please go here and follow the instructions to get the latest version: How to update Firefox


    STEP 3
    To re-enable your CD Emulation drivers if you disabled them, double click DeFogger.exe to run the tool again.


    • The application window will appear.
    • Click the Re-enable button to re-enable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine...click OK.

    To uninstall ComboFix, press the WINKEY + R keys on your keyboard or click on Start [​IMG]and type Run into the search box and hit Enter.
    In the Run box type: ComboFix /Uninstall (Be sure to leave a space before the forward slash).

    [​IMG]


    • Click on OK.
    • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
    • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
    • When it has finished you will see a dialog box stating that "ComboFix has been uninstalled".
    • After that, you can delete the ComboFix.exe program from your computer (Desktop).

    Next

    • Download OTC by OldTimer and save it to your desktop.
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose Run as Administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    -- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
    -- Any leftover folders/files related to ComboFix or other tools which OTC did not remove can be deleted manually (right-click on it and choose delete).



    Please post back when this is complete and let me know if you have had any problems.
     
  12. peppero123

    peppero123 Thread Starter

    Joined:
    Mar 14, 2009
    Messages:
    31
    Updated everything, ran OTC and then manually deleted Security Check, AdwCleaner, Eset, SystemLookup.

    "The Internet" icon appeared again after running either defogger or combofix. I just deleted it again.

    Does this finish the process? Thanks so much for your help!
     
  13. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Yup, that's it. I'll just leave you with this:

    I shall now mark this thread as Solved and leave you with some security advice, but please feel free to post back if you have any remaining issues or concerns.

    There are many places where you will find security advice, but most are biased towards a particular item of software that they are trying to promote. I have given some unbiased advice below that should help keep you better protected. Unfortunately there is no "best protection", new Malware is being produced every minute of the day so it is a cat & mouse game for all security software vendors to keep up with the latest infections.

    It has always been the case that what one Anti Virus program will detect another one will miss and vice versa. That being said, never be tempted to install more than one Anti Virus program thinking that will give you better protection as in fact the reverse is true. Two or more AV programs will (in most cases) conflict with each other, slow your system down and actually reduce your security level. Don't assume that your present Anti Virus is no good on the grounds that you got infected, if I have seen you are using a poor Anti Virus I will have advised you earlier in the thread. There are a lot of nasty infections out there waiting to jump onto a PC and with some of the newest infections there is very little that will block them. Fortunately there are those who dedicate their spare time, for little reward, in making the tools we use here to remove these infections. It is those people that we have to thank as without them a reinstall would often be the only way out.

    Some additional security measures.
    If your present security software does not include a third party Firewall or AntiSpyware.

    Go Here for a selection of third party Firewalls.

    Go Here or Here for Anti Spyware.

    Malwarebytes free version (which you may have used during this thread) is worth having for regular scans of your system, always check for updates before using it. If you can afford the Malwarebytes Pro version it will provide even better protection with a full time active scanner. Never have more than one active anti virus, anti spyware or firewall running on your system as it can cause conflicts and slow down the PC. You can safely run the Pro version of Malwarebytes with any Anti Virus software.

    WOT (Web OF Trust) Will warn you (in most cases) about dangerous web sites. (This is only available for use with Internet Explorer).

    Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular"among criminals.

    WinPatrol is a useful facility to have. WinPatrol takes snapshots of your critical system resources and alerts you to any changes that may occur without your knowledge. It can also be used to control all your start up programs.

    Finally, make sure that Windows Update is turned on as many updates are to fix newly discovered security holes in the Windows Operating System. You should also make sure that any Java or Adobe products are kept up to date and any old versions are uninstalled. Never use Registry Cleaners as they can and do damage the systems registry and stay well clear of P2P file sharing sites as these are one of the best places to get your PC infected.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1073616