remove fbi "system failure" virus help

[cottonball]

drmax,

Don't understand what problem there is with the USB drive. It is showing in Disk Management as G:\ in Disk Management... :huh:


Let's see if the following get you going with the Safe Mode issue...

please do the following Pefore moving on to the next step: http://www.sevenforums.com/tutorials/697-system-restore-point-create.html


Now, download ComboFix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save ComboFix.exe to the Desktop <<---


Please disable your AntiVirus and AntiSpyware applications, as they may interfere with this tool.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides


Double-click combofix.exe and follow the prompts.

There are several stages processed by CF. Please be patient, as it may take a while to run. (Estimated time: o/a 1 hour)


When done, ComboFix produces a log: C:\ComboFix.txt


Please attach the ComboFix.txt in your reply. <<---

Also, post on whether you can boot to Safe Mode.


Notes:
1. Please do not mouse-click the ComboFix window while it is running. This action may cause a stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. It also disconnects the computer from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
4. If ComboFix detects any Rootkit/Bootkit activity, it gives a warning and prompts for a reboot. Please allow it to do so. The screen may stay black for several minutes on reboot, however, this is normal.
5. If the following message appears, please reboot to resolve the issue:
"Illegal operation attempted on Registry key that has been marked for deletion."

 

[drmax]

C/F results

(have not tried safe mode. will wait until after you have a look at this. thx CottonBall)

ComboFix 13-06-01.01 - greg 06/01/2013 9:38.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7656.6084 [GMT -4:00]
Running from: c:\users\greg\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\greg\AppData\Roaming\inst.exe
c:\users\greg\AppData\Roaming\vso_ts_preview.xml
.
.
((((((((((((((((((((((((( Files Created from 2013-05-01 to 2013-06-01 )))))))))))))))))))))))))))))))
.
.
2013-06-01 13:44 . 2013-06-01 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-01 13:09 . 2013-06-01 13:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-06-01 13:09 . 2013-06-01 13:09 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-01 12:49 . 2013-06-01 12:49 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FFD3EB84-90FA-4CE3-9C50-B9D4E035C430}\offreg.dll
2013-06-01 00:56 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FFD3EB84-90FA-4CE3-9C50-B9D4E035C430}\mpengine.dll
2013-05-31 22:26 . 2013-05-13 06:37 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-31 18:32 . 2013-05-31 23:30 -------- d-----w- c:\users\greg\AppData\Roaming\wabEventSupport16
2013-05-21 18:50 . 2013-05-21 18:49 964552 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3EDA82C7-29AA-40C7-87EE-91B47A464654}\gapaengine.dll
2013-05-18 15:46 . 2013-05-18 15:46 -------- d-----w- c:\programdata\Cisco Systems
2013-05-15 07:02 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
2013-05-15 07:02 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-15 07:02 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2013-05-15 04:51 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 04:51 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 04:51 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-15 04:50 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-15 04:50 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-15 04:50 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-15 04:50 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-15 04:50 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-15 04:50 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 04:50 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 04:50 . 2013-03-19 05:53 230400 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 04:50 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-01 13:09 . 2012-06-27 20:52 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-06-01 13:09 . 2012-02-14 22:11 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-05-15 11:02 . 2013-01-23 13:36 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 11:02 . 2013-01-23 13:36 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 07:29 . 2011-03-28 22:36 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-15 07:07 . 2011-09-04 19:42 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-02 15:29 . 2011-09-04 16:35 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-24 07:28 . 2011-09-14 19:42 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-13 05:49 . 2013-05-15 04:50 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 04:50 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 04:50 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 04:50 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 04:50 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 04:50 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 21:49 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-04 18:50 . 2011-11-01 17:48 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-19 06:04 . 2013-04-10 19:35 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-10 19:35 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-10 19:35 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 19:35 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-10 19:35 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-10 19:35 112640 ----a-w- c:\windows\system32\smss.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\greg\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-08 336384]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AllShareAgent"="c:\program files (x86)\Samsung\AllShare\AllShareAgent.exe" [2012-03-02 285072]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
magicBlock.lnk - c:\program files (x86)\magicBlock\magicBlock.exe [2008-5-3 479232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-02-28 161384]
R3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [2011-03-18 87168]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [2011-03-18 188544]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-01-26 32152]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2011-09-25 82816]
R3 SimpleSlideShowServer;SimpleSlideShowServer;c:\program files (x86)\Samsung\AllShare\AllShareSlideShowService.exe [2012-03-02 27584]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 vna_ap;Check Point Virtual Network Adapter - Apollo;c:\windows\system32\DRIVERS\vnaap.sys [2011-09-15 161256]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-04 1255736]
S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [2011-03-23 36448]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-09-17 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-26 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-07-08 365568]
S2 SamsungAllShareV2.0;Samsung AllShare PC;c:\program files (x86)\Samsung\AllShare\AllShareDMS\AllShareDMS.exe [2012-03-02 25504]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-04-23 3574624]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-02-24 126952]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-02-24 389608]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-03-30 114704]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-23 11:02]
.
2013-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2872747093-637173786-3556813959-1000Core.job
- c:\users\greg\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-12 12:42]
.
2013-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2872747093-637173786-3556813959-1000UA.job
- c:\users\greg\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-12 12:42]
.
2013-05-26 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-19 11613288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: fedex.com\*.fw
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 192.168.0.1
DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} - hxxps://portal.sca-vip.fw.fedex.com//SNX/CSHELL/extender.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2872747093-637173786-3556813959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*#*7*&*c*4*2*b*8*f*8*&*0*&*a*9*2*1*0*5*0*2*0*7*0*“÷D\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2872747093-637173786-3556813959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2872747093-637173786-3556813959-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-01 09:46:28
ComboFix-quarantined-files.txt 2013-06-01 13:46
.
Pre-Run: 61,657,530,368 bytes free
Post-Run: 62,283,771,904 bytes free
.
- - End Of File - - 88BF95641D2840588C94C7E589BAE0BB

 

[drmax]

I could use msconfig to boot into safe mode (or anyways try that) if need be. I didn't know that option existed. I'll hang back and await your response

 

[VistaKing]

Reboot the PC and tab on F8 and see if you could get into safe mode

 

[drmax]

Reboot the PC and tab on F8 and see if you could get into safe mode

no, as it did yesterday...takes me to the boot sequence page, as in which drive I want to start the pc in.
this is also where my thumb drive would not work. the option was there, but would not go to my drive. i was able to select my dvd drive and start windows with the system disk, however. DM

 

[drmax]

welp, now pc will not boot up. it was working. came back to it and monitor has power, but not activated. Manually turn off pc and when turn on, the monitor don't come alive and don't hear the normal chatter of hard drive coming to life. it's 3 yrs old. possibly something happened after combo fix? dunno. it was working after combo fix, however. unsure how to go about getting life into this, other than ordering another h/d and starting over.
even sliding windows disk into dvd does notta. dm

 

[drmax]

welp, now pc will not boot up. it was working. came back to it and monitor has power, but not activated. Manually turn off pc and when turn on, the monitor don't come alive and don't hear the normal chatter of hard drive coming to life. it's 3 yrs old. possibly something happened after combo fix? dunno. it was working after combo fix, however. unsure how to go about getting life into this, other than ordering another h/d and starting over.
even sliding windows disk into dvd does notta. dm

unplugged pc from power altogether. plugged back in and she started right up. ok, so i went into msconfig and in the boot section, had the pc start in safe mode this way. currently running mbar now to see if there is anything there and will try hitman pro again. will report back. dm

 

[drmax]

In safemode...Malwarebytes antfimalware found nothing in full scan. Hitman pro has a suspicious file pev.exe. Further reading mentions since I ran combo fix, this could be the cause so I ignored it. MBAR antiroot kit scanned and nothing found. Outside of the pc not F8 into safemode, I appear to be clean. If this all looks clean to you then please mark the solved box for me and I appreciate all of your help. DM

 

[VistaKing]

When you press F8 can you get into Safe Mode , Safe Mode with Networking and Safe Mode with Command Prompt ?

I could not mark this thread solved. That would be done either by you or Admin or the Moderators

 

[drmax]

When you press F8 can you get into Safe Mode , Safe Mode with Networking and Safe Mode with Command Prompt ?

I could not mark this thread solved. That would be done either by you or Admin or the Moderators

read post #27 and then onward. I may have been typing when you asked this. as it stands, F8 only takes me into my boot configuration. unless there is another button to push, the only way for me to get into safemode is through msconfig.

 

[drmax]

was there a virus

Through this adventure, did you or Cottonball see that I had something causing the virus "FBI locking my screen" thingy? Was there a positive fix here, or do I still need to be worried?
Is there a product you'd recommend I pay for, to have running in the backgroud all the time?

 

[Gary]

What exactly have you done?

 

[VistaKing]

drmax

I am not seeing anything . But lets see what Cottonball says. Are you still getting the FBI screen ?

 

[drmax]

drmax

I am not seeing anything . But lets see what Cottonball says. Are you still getting the FBI screen ?

no. working good like i had wrote.

 

[VistaKing]

Lets try this

Reboot the PC Tap on F6 you should get a menu then tap F8 after that you should get a Safe Mode option .

 

[drmax]

Lets try this

Reboot the PC Tap on F6 you should get a menu then tap F8 after that you should get a Safe Mode option .

no dice. F6 just let it start normally. no differences. i'm not gonna let this get the best of me. let's wait on C/B to see what he says on the virus. I mean...how could i have had the locked up FBI screen, and then it mysteriously went away? I gotta know it was there and gotten rid of....or it could still be lurking. DM

 

[cottonball]

drmax,

Try using RKill to terminate any infection processes: http://download.bleepingcomputer.com/grinler/rkill.exe
Save to the Desktop.

If RKill.exe does not run, then download and try to run RKill.com:
http://download.bleepingcomputer.com/grinler/rkill.com

You only need to get one of the versions of RKill to run.

There are additional versions:
PKill.scr: http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill, under various names, can be downloaded from the following links:
iExplore.exe: http://download.bleepingcomputer.com/grinler/iExplore.exe
uSeRiNiT.exe: http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe
WiNlOgOn.exe: http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe

If your AntiVirus warns you about this tool, ignore the warning, or temporarily disable your AntiVirus.

Right-click on the downloaded file and select: Run as Administrator

A black DOS box briefly flashes and then disappear. This is normal and indicates the tool ran successfully.
After running the tool, do not reboot.
When the scan is done Notepad opens with the RKill report.

Please post the RKill report in your reply.

Without a reboot, please download RogueKiller:
Download RogueKiller (Official website)
Select the x64 version download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.


Also, what Brand/Model computer is this? Dell, HP, Acer, Asus, etc...

Trying to understand what happens...
When you tap F8 while starting, you get the boot device order (HDD, removeable drive, CD-ROM...) instead of getting the Safe Mode options, etc.?

What happens if you tap F8, identify the drive to boot from and press Enter, then tap F8 again?
Does it get you to the Advanced Boot Options?

or...

When tapping F8 brings up the boot device menu, press Esc, then keep tapping F8
Does the Advanced Boot Options screen appear?