Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 Reboot after 1 minute, security centre not working


  • This topic is locked This topic is locked
30 replies to this topic

#1 demon8991

demon8991

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 19 June 2012 - 07:02 AM

Hi All,

I am having the problem as per the title and cannot seem to remove the sirefef trojan in time before it reboots.

I have run a FRST64.exe in system repair and this is the outcome:


Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04
Ran by SYSTEM at 19-06-2012 21:50:20
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [75064 2011-04-29] ()
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-12] (Microsoft Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Patricia Ahearn\...\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup [4862384 2011-09-01] (Exent Technologies Ltd.)
HKU\Patricia Ahearn\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17344176 2012-06-05] (Skype Technologies S.A.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Ulead Photo Express 3.0 SE Calendar Checker.lnk
ShortcutTarget: Ulead Photo Express 3.0 SE Calendar Checker.lnk -> C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe (Ulead Systems, Inc.)

==================== Services (Whitelisted) ======

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe" SERVICE [2823000 2010-08-25] (Dell, Inc.)
3 RoxMediaDB12OEM; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)
2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3048136 2012-05-29] (Skype Technologies S.A.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]

========================== Drivers (Whitelisted) =============

3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [250984 2010-10-29] (Realtek Semiconductor Corp.)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [16120 2010-11-29] (Intel® Corporation)
2 X5XSEx; \??\C:\Program Files (x86)\Free Ride Games\X5XSEx.Sys [55400 2010-11-21] (Exent Technologies Ltd.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-19 21:50 - 2012-06-19 21:50 - 00000000 ____D C:\FRST
2012-06-19 06:27 - 2012-06-19 06:45 - 00142210 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe.log
2012-06-19 06:21 - 2012-06-19 06:21 - 00000000 __SHD C:\Config.Msi
2012-06-19 06:21 - 2012-06-19 06:18 - 01415784 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe
2012-06-19 06:16 - 2012-06-19 06:40 - 00906230 ____A C:\Windows\ntbtlog.txt
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-19 05:47 - 2012-04-04 00:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-19 05:45 - 2012-06-19 05:47 - 12621696 ____A (Microsoft Corporation) C:\Users\Patricia Ahearn\Desktop\mseinstall.exe
2012-06-19 05:45 - 2012-06-19 05:46 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Patricia Ahearn\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-19 04:50 - 2012-06-19 04:50 - 00000000 ____D C:\Windows\pss
2012-06-19 04:20 - 2012-06-19 05:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-19 04:08 - 2012-06-19 20:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-06-19 04:08 - 2012-06-19 20:36 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-15 00:07 - 2012-06-15 00:07 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-14 17:07 - 2012-05-17 21:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 17:07 - 2012-05-17 21:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 17:07 - 2012-05-17 21:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 17:07 - 2012-05-17 20:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 17:07 - 2012-05-17 20:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 17:07 - 2012-05-17 20:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 17:07 - 2012-05-17 20:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 17:07 - 2012-05-17 20:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 17:07 - 2012-05-17 20:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 17:07 - 2012-05-17 20:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 17:07 - 2012-05-17 20:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 17:07 - 2012-05-17 20:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 17:07 - 2012-05-17 20:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 17:07 - 2012-05-17 20:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 17:07 - 2012-05-17 18:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-14 17:07 - 2012-05-17 17:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-14 17:07 - 2012-05-17 17:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-14 17:07 - 2012-05-17 17:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-14 17:07 - 2012-05-17 17:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-14 17:07 - 2012-05-17 17:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-14 17:07 - 2012-05-17 17:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-14 17:07 - 2012-05-17 17:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-14 17:07 - 2012-05-17 17:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-14 17:07 - 2012-05-17 17:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-14 17:07 - 2012-05-17 17:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-14 17:07 - 2012-05-17 17:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-14 17:07 - 2012-05-17 17:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-14 17:07 - 2012-05-17 17:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-14 04:18 - 2012-05-14 20:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-14 04:18 - 2012-05-04 06:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-14 04:18 - 2012-05-04 05:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-14 04:18 - 2012-05-04 05:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-14 04:18 - 2012-05-01 00:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-14 04:18 - 2012-04-27 22:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-14 04:18 - 2012-04-26 00:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-14 04:18 - 2012-04-26 00:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-14 04:18 - 2012-04-26 00:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-14 04:18 - 2012-04-24 00:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-14 04:18 - 2012-04-24 00:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-14 04:18 - 2012-04-24 00:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-14 04:18 - 2012-04-07 07:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-14 04:18 - 2012-04-07 06:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

============ 3 Months Modified Files and Folders =============

2012-06-19 21:50 - 2012-06-19 21:50 - 00000000 ____D C:\FRST
2012-06-19 20:37 - 2012-06-19 04:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Users\All Users\Free Ride Games
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Users\All Users\Application Data\Free Ride Games
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Remote Programs
2012-06-19 20:37 - 2012-01-23 23:27 - 00000000 ____D C:\Program Files (x86)\Playrix Entertainment
2012-06-19 20:37 - 2012-01-23 23:05 - 00000000 ____D C:\Program Files (x86)\Oberon Media
2012-06-19 20:37 - 2012-01-11 05:20 - 00000000 ____D C:\Windows\AutoKMS
2012-06-19 20:37 - 2011-12-11 21:09 - 00000000 ____D C:\Windows\System32\Macromed
2012-06-19 20:37 - 2011-10-20 07:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2012-06-19 20:37 - 2011-10-20 07:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-06-19 20:37 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2012-06-19 20:37 - 2009-07-13 22:20 - 00000000 ___HD C:\ProgramData
2012-06-19 20:36 - 2012-06-19 04:50 - 00000000 ____D C:\Windows\pss
2012-06-19 20:36 - 2012-06-19 04:08 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-19 20:36 - 2011-10-20 09:57 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-06-19 20:36 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2012-06-19 20:34 - 2011-10-20 08:01 - 00000000 ____D C:\Program Files (x86)\WildTangent
2012-06-19 06:45 - 2012-06-19 06:27 - 00142210 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe.log
2012-06-19 06:44 - 2011-12-11 21:16 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Skype
2012-06-19 06:44 - 2011-12-11 21:16 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Skype
2012-06-19 06:43 - 2012-01-11 05:20 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2012-06-19 06:43 - 2011-12-11 20:45 - 4198785024 __ASH C:\pagefile.sys
2012-06-19 06:43 - 2011-10-20 08:11 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2012-06-19 06:43 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 06:43 - 2009-07-13 23:51 - 00064598 ____A C:\Windows\setupact.log
2012-06-19 06:42 - 2011-10-20 06:59 - 3149086720 __ASH C:\hiberfil.sys
2012-06-19 06:40 - 2012-06-19 06:16 - 00906230 ____A C:\Windows\ntbtlog.txt
2012-06-19 06:29 - 2011-10-20 06:59 - 00000000 __SHD C:\System Volume Information
2012-06-19 06:27 - 2009-07-13 22:20 - 00000000 ___AD C:\Windows
2012-06-19 06:21 - 2012-06-19 06:21 - 00000000 __SHD C:\Config.Msi
2012-06-19 06:18 - 2012-06-19 06:21 - 01415784 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe
2012-06-19 06:09 - 2011-12-11 21:44 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-19 06:09 - 2011-10-20 07:04 - 01420954 ____A C:\Windows\WindowsUpdate.log
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-19 06:05 - 2011-10-20 07:18 - 00792268 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-19 06:05 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files (x86)
2012-06-19 06:05 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files
2012-06-19 06:01 - 2009-07-13 23:45 - 00028576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-19 06:01 - 2009-07-13 23:45 - 00028576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-19 05:56 - 2011-10-20 07:53 - 00000000 ____D C:\Users\All Users\Sonic
2012-06-19 05:56 - 2011-10-20 07:53 - 00000000 ____D C:\Users\All Users\Application Data\Sonic
2012-06-19 05:55 - 2010-11-20 22:47 - 00053998 ____A C:\Windows\PFRO.log
2012-06-19 05:47 - 2012-06-19 05:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Patricia Ahearn\Desktop\mseinstall.exe
2012-06-19 05:47 - 2012-06-19 04:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-19 05:46 - 2012-06-19 05:45 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Patricia Ahearn\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Conduit
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\Conduit
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\Conduit
2012-06-19 05:41 - 2011-10-20 08:01 - 00000000 ____D C:\Users\All Users\WildTangent
2012-06-19 05:41 - 2011-10-20 08:01 - 00000000 ____D C:\Users\All Users\Application Data\WildTangent
2012-06-19 05:39 - 2012-01-27 00:26 - 00000000 ____D C:\Program Files (x86)\Free Ride Games
2012-06-19 05:38 - 2011-12-11 21:49 - 00000000 ____D C:\users\Patricia Ahearn
2012-06-19 05:38 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\config\TxR
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\Local Settings\Application Data\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\Local Settings\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\ElevatedDiagnostics
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\ElevatedDiagnostics
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\ElevatedDiagnostics
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Nero
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\Nero
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\Nero
2012-06-19 04:04 - 2012-04-18 21:04 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-06-19 01:19 - 2011-12-13 00:23 - 00000000 ____D C:\Users\Patricia Ahearn\My Documents\Outlook Files
2012-06-19 01:19 - 2011-12-13 00:23 - 00000000 ____D C:\Users\Patricia Ahearn\Documents\Outlook Files
2012-06-18 20:29 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-15 00:07 - 2012-06-15 00:07 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-14 18:42 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2012-06-14 17:26 - 2009-07-13 23:45 - 00531216 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 17:18 - 2011-12-13 00:01 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-14 17:18 - 2011-12-13 00:01 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-06-14 17:17 - 2009-07-14 00:13 - 00792488 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-14 17:13 - 2011-12-11 21:00 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-14 17:09 - 2011-10-20 08:05 - 00000000 ____D C:\Users\All Users\Skype
2012-06-14 17:09 - 2011-10-20 08:05 - 00000000 ____D C:\Users\All Users\Application Data\Skype
2012-06-10 17:46 - 2012-04-18 21:04 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-05-25 00:01 - 2012-04-26 02:17 - 00035328 ____A C:\Users\Patricia Ahearn\My Documents\Dinner.msg
2012-05-25 00:01 - 2012-04-26 02:17 - 00035328 ____A C:\Users\Patricia Ahearn\Documents\Dinner.msg
2012-05-24 23:03 - 2009-07-14 00:08 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-17 21:47 - 2012-06-14 17:07 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 21:16 - 2012-06-14 17:07 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 21:06 - 2012-06-14 17:07 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 20:59 - 2012-06-14 17:07 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 20:59 - 2012-06-14 17:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 20:58 - 2012-06-14 17:07 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 20:58 - 2012-06-14 17:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 20:56 - 2012-06-14 17:07 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 20:55 - 2012-06-14 17:07 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 20:55 - 2012-06-14 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 20:54 - 2012-06-14 17:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 20:51 - 2012-06-14 17:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 20:51 - 2012-06-14 17:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 20:47 - 2012-06-14 17:07 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 18:11 - 2012-06-14 17:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 17:48 - 2012-06-14 17:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 17:45 - 2012-06-14 17:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 17:36 - 2012-06-14 17:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 17:35 - 2012-06-14 17:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 17:35 - 2012-06-14 17:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 17:33 - 2012-06-14 17:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 17:31 - 2012-06-14 17:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 17:29 - 2012-06-14 17:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 17:29 - 2012-06-14 17:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 17:27 - 2012-06-14 17:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 17:25 - 2012-06-14 17:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 17:24 - 2012-06-14 17:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 17:20 - 2012-06-14 17:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 20:32 - 2012-06-14 04:18 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 02:08 - 2011-10-20 09:57 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-09 00:01 - 2011-12-18 21:10 - 00000649 ____A C:\Windows\ULEAD32.INI
2012-05-07 19:05 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\LiveKernelReports
2012-05-04 06:06 - 2012-06-14 04:18 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 05:03 - 2012-06-14 04:18 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 05:03 - 2012-06-14 04:18 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 04:20 - 2012-03-09 22:25 - 00000000 ____D C:\Users\Patricia Ahearn\My Documents\FAMILY PHOTOS
2012-05-01 04:20 - 2012-03-09 22:25 - 00000000 ____D C:\Users\Patricia Ahearn\Documents\FAMILY PHOTOS
2012-05-01 00:40 - 2012-06-14 04:18 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 16:50 - 2011-10-20 08:05 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-04-27 22:55 - 2012-06-14 04:18 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 00:41 - 2012-06-14 04:18 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 00:41 - 2012-06-14 04:18 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 00:34 - 2012-06-14 04:18 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 00:37 - 2012-06-14 04:18 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-24 00:37 - 2012-06-14 04:18 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-24 00:37 - 2012-06-14 04:18 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-18 21:04 - 2012-04-05 20:34 - 00000000 ____D C:\Program Files\Dell Support Center
2012-04-18 21:04 - 2011-10-20 07:24 - 00000000 ____D C:\Users\All Users\Dell
2012-04-18 21:04 - 2011-10-20 07:24 - 00000000 ____D C:\Users\All Users\Application Data\Dell
2012-04-13 01:46 - 2009-07-13 21:34 - 00000510 ____A C:\Windows\win.ini
2012-04-07 07:31 - 2012-06-14 04:18 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 06:26 - 2012-06-14 04:18 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 00:56 - 2012-06-19 05:47 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-30 06:35 - 2012-05-10 23:28 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

ZeroAccess:
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

ZeroAccess:
C:\Users\Patricia Ahearn\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 4004.27 MB
Available physical RAM: 3217.2 MB
Total Pagefile: 4002.47 MB
Available Pagefile: 3201.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:404.24 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.76 GB) NTFS
3 Drive e: (Kingston) (Removable) (Total:14.95 GB) (Free:0.88 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 DELLUTILITY FAT Partition 100 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Recovery NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Kingston NTFS Removable 14 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-17 21:25

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 19 June 2012 - 04:01 PM

Good evening. :)

Will you fire up FRST64 again but this time I want you to run a search for a file. Paste the following into the Search: textbox and click the Search File(s) button: services.exe
Let me have the log that will be found on the flashdrive, as before.

So long, and thanks for all the fish.

 

 


#3 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 20 June 2012 - 07:02 AM

Thanks for that.

As requested please find attached outcome.


Farbar Recovery Scan Tool Version: 17-06-2012 04
Ran by SYSTEM at 2012-06-20 21:57:54
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 20 June 2012 - 02:29 PM

Good evening. :)

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

start
CMD: copy C:\Windows\System32\services.exe services.old
CMD: copy /y "C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe" C:\WINDOWS\system32
end

Save the file to your flashdrive as fixlist.txt
Enter the System Recovery Options as before, run FRST64 and click the Fix button just once and wait.
Once the tool has completed it will save a log on the flashdrive called Fixlog.txt - i'd like you to post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#5 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 20 June 2012 - 04:56 PM

Please find Fixlog attached.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 17-06-2012 04
Ran by SYSTEM at 2012-06-21 07:55:31 Run:1
Running from E:\

==============================================


========= copy C:\Windows\System32\services.exe services.old =========

1 file(s) copied.

========= End of CMD: =========


========= copy /y "C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe" C:\WINDOWS\system32 =========

1 file(s) copied.

========= End of CMD: =========


==== End of Fixlog ====

Attached Files


Edited by demon8991, 20 June 2012 - 04:56 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 20 June 2012 - 05:20 PM

Will you run FRST64 again and click the Scan button and let me have the log that it produces. Will you also boot your PC normally and tell me if it crashes as it has been doing or if the file replacement has made things better.

So long, and thanks for all the fish.

 

 


#7 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 20 June 2012 - 06:19 PM

Ok the computer seems to boot fine, thanks so much for that!

Only problm is i windows firewall will not start i just get an error.


Scan result of Farbar Recovery Scan Tool Version: 17-06-2012 04
Ran by SYSTEM at 21-06-2012 08:52:58
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-03-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418840 2011-03-30] (Intel Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [608112 2011-03-29] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3668336 2011-03-24] (Dell Inc.)
HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4526 2010-11-29] ()
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [503942 2011-04-13] (Creative Technology Ltd)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [Dell Registration] C:\Program Files (x86)\System Registration\prodreg.exe /boot [4165440 2011-08-04] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe 900 [75064 2011-04-29] ()
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-12] (Microsoft Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Patricia Ahearn\...\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup [4862384 2011-09-01] (Exent Technologies Ltd.)
HKU\Patricia Ahearn\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17344176 2012-06-05] (Skype Technologies S.A.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Ulead Photo Express 3.0 SE Calendar Checker.lnk
ShortcutTarget: Ulead Photo Express 3.0 SE Calendar Checker.lnk -> C:\Program Files (x86)\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe (Ulead Systems, Inc.)

==================== Services (Whitelisted) ======

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe" SERVICE [2823000 2010-08-25] (Dell, Inc.)
3 RoxMediaDB12OEM; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" [1116656 2010-11-25] (Sonic Solutions)
2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3048136 2012-05-29] (Skype Technologies S.A.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [x]

========================== Drivers (Whitelisted) =============

3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [250984 2010-10-29] (Realtek Semiconductor Corp.)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [16120 2010-11-29] (Intel® Corporation)
2 X5XSEx; \??\C:\Program Files (x86)\Free Ride Games\X5XSEx.Sys [55400 2010-11-21] (Exent Technologies Ltd.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-19 21:50 - 2012-06-21 08:53 - 00000000 ____D C:\FRST
2012-06-19 06:27 - 2012-06-19 06:45 - 00142210 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe.log
2012-06-19 06:21 - 2012-06-19 06:21 - 00000000 __SHD C:\Config.Msi
2012-06-19 06:21 - 2012-06-19 06:18 - 01415784 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe
2012-06-19 06:16 - 2012-06-19 06:40 - 00906230 ____A C:\Windows\ntbtlog.txt
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-19 05:47 - 2012-04-04 00:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-19 05:45 - 2012-06-19 05:47 - 12621696 ____A (Microsoft Corporation) C:\Users\Patricia Ahearn\Desktop\mseinstall.exe
2012-06-19 05:45 - 2012-06-19 05:46 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Patricia Ahearn\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-19 04:50 - 2012-06-19 20:36 - 00000000 ____D C:\Windows\pss
2012-06-19 04:20 - 2012-06-19 05:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-19 04:08 - 2012-06-19 20:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-06-19 04:08 - 2012-06-19 20:36 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-15 00:07 - 2012-06-15 00:07 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-14 17:07 - 2012-05-17 21:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-14 17:07 - 2012-05-17 21:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-14 17:07 - 2012-05-17 21:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-14 17:07 - 2012-05-17 20:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-14 17:07 - 2012-05-17 20:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-14 17:07 - 2012-05-17 20:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-14 17:07 - 2012-05-17 20:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-14 17:07 - 2012-05-17 20:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-14 17:07 - 2012-05-17 20:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-14 17:07 - 2012-05-17 20:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-14 17:07 - 2012-05-17 20:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-14 17:07 - 2012-05-17 20:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-14 17:07 - 2012-05-17 20:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-14 17:07 - 2012-05-17 20:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-14 17:07 - 2012-05-17 18:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-14 17:07 - 2012-05-17 17:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-14 17:07 - 2012-05-17 17:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-14 17:07 - 2012-05-17 17:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-14 17:07 - 2012-05-17 17:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-14 17:07 - 2012-05-17 17:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-14 17:07 - 2012-05-17 17:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-14 17:07 - 2012-05-17 17:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-14 17:07 - 2012-05-17 17:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-14 17:07 - 2012-05-17 17:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-14 17:07 - 2012-05-17 17:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-14 17:07 - 2012-05-17 17:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-14 17:07 - 2012-05-17 17:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-14 17:07 - 2012-05-17 17:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-14 04:18 - 2012-05-14 20:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-14 04:18 - 2012-05-04 06:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-14 04:18 - 2012-05-04 05:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-14 04:18 - 2012-05-04 05:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-14 04:18 - 2012-05-01 00:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-14 04:18 - 2012-04-27 22:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-14 04:18 - 2012-04-26 00:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-14 04:18 - 2012-04-26 00:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-14 04:18 - 2012-04-26 00:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-14 04:18 - 2012-04-24 00:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-14 04:18 - 2012-04-24 00:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-14 04:18 - 2012-04-24 00:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-14 04:18 - 2012-04-23 23:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-14 04:18 - 2012-04-07 07:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-14 04:18 - 2012-04-07 06:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

============ 3 Months Modified Files and Folders =============

2012-06-21 08:53 - 2012-06-19 21:50 - 00000000 ____D C:\FRST
2012-06-19 20:37 - 2012-06-19 04:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Users\All Users\Free Ride Games
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Users\All Users\Application Data\Free Ride Games
2012-06-19 20:37 - 2012-01-27 00:26 - 00000000 ____D C:\Remote Programs
2012-06-19 20:37 - 2012-01-23 23:27 - 00000000 ____D C:\Program Files (x86)\Playrix Entertainment
2012-06-19 20:37 - 2012-01-23 23:05 - 00000000 ____D C:\Program Files (x86)\Oberon Media
2012-06-19 20:37 - 2012-01-11 05:20 - 00000000 ____D C:\Windows\AutoKMS
2012-06-19 20:37 - 2011-12-11 21:09 - 00000000 ____D C:\Windows\System32\Macromed
2012-06-19 20:37 - 2011-10-20 07:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2012-06-19 20:37 - 2011-10-20 07:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-06-19 20:37 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2012-06-19 20:37 - 2009-07-13 22:20 - 00000000 ___HD C:\ProgramData
2012-06-19 20:36 - 2012-06-19 04:50 - 00000000 ____D C:\Windows\pss
2012-06-19 20:36 - 2012-06-19 04:08 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-19 20:36 - 2011-10-20 09:57 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-06-19 20:36 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2012-06-19 20:34 - 2011-10-20 08:01 - 00000000 ____D C:\Program Files (x86)\WildTangent
2012-06-19 06:45 - 2012-06-19 06:27 - 00142210 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe.log
2012-06-19 06:44 - 2011-12-11 21:16 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Skype
2012-06-19 06:44 - 2011-12-11 21:16 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Skype
2012-06-19 06:43 - 2012-01-11 05:20 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
2012-06-19 06:43 - 2011-12-11 21:49 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2012-06-19 06:43 - 2011-12-11 20:45 - 4198785024 __ASH C:\pagefile.sys
2012-06-19 06:43 - 2011-10-20 08:11 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2012-06-19 06:43 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 06:43 - 2009-07-13 23:51 - 00064598 ____A C:\Windows\setupact.log
2012-06-19 06:42 - 2011-10-20 06:59 - 3149086720 __ASH C:\hiberfil.sys
2012-06-19 06:40 - 2012-06-19 06:16 - 00906230 ____A C:\Windows\ntbtlog.txt
2012-06-19 06:29 - 2011-10-20 06:59 - 00000000 __SHD C:\System Volume Information
2012-06-19 06:27 - 2009-07-13 22:20 - 00000000 ___AD C:\Windows
2012-06-19 06:21 - 2012-06-19 06:21 - 00000000 __SHD C:\Config.Msi
2012-06-19 06:18 - 2012-06-19 06:21 - 01415784 ____A C:\Users\Patricia Ahearn\Desktop\yorkyt.exe
2012-06-19 06:09 - 2011-12-11 21:44 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-19 06:09 - 2011-10-20 07:04 - 01420954 ____A C:\Windows\WindowsUpdate.log
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-19 06:05 - 2012-06-19 06:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-19 06:05 - 2011-10-20 07:18 - 00792268 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-19 06:05 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files (x86)
2012-06-19 06:05 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files
2012-06-19 06:01 - 2009-07-13 23:45 - 00028576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-19 06:01 - 2009-07-13 23:45 - 00028576 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-19 05:56 - 2011-10-20 07:53 - 00000000 ____D C:\Users\All Users\Sonic
2012-06-19 05:56 - 2011-10-20 07:53 - 00000000 ____D C:\Users\All Users\Application Data\Sonic
2012-06-19 05:55 - 2010-11-20 22:47 - 00053998 ____A C:\Windows\PFRO.log
2012-06-19 05:47 - 2012-06-19 05:45 - 12621696 ____A (Microsoft Corporation) C:\Users\Patricia Ahearn\Desktop\mseinstall.exe
2012-06-19 05:47 - 2012-06-19 04:20 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-19 05:46 - 2012-06-19 05:45 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Patricia Ahearn\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Conduit
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\Conduit
2012-06-19 05:44 - 2012-01-27 00:26 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\Conduit
2012-06-19 05:41 - 2011-10-20 08:01 - 00000000 ____D C:\Users\All Users\WildTangent
2012-06-19 05:41 - 2011-10-20 08:01 - 00000000 ____D C:\Users\All Users\Application Data\WildTangent
2012-06-19 05:39 - 2012-01-27 00:26 - 00000000 ____D C:\Program Files (x86)\Free Ride Games
2012-06-19 05:38 - 2011-12-11 21:49 - 00000000 ____D C:\users\Patricia Ahearn
2012-06-19 05:38 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\config\TxR
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\Local Settings\Application Data\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\Local Settings\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 05:00 - 2012-01-11 04:53 - 00000000 __SHD C:\Users\Patricia Ahearn\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\ElevatedDiagnostics
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\ElevatedDiagnostics
2012-06-19 04:46 - 2011-12-28 00:40 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\ElevatedDiagnostics
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\Application Data\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Roaming\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-19 04:20 - 2012-06-19 04:20 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Nero
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\Local Settings\Application Data\Nero
2012-06-19 04:20 - 2011-12-11 21:07 - 00000000 ____D C:\Users\Patricia Ahearn\AppData\Local\Nero
2012-06-19 04:04 - 2012-04-18 21:04 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-06-19 01:19 - 2011-12-13 00:23 - 00000000 ____D C:\Users\Patricia Ahearn\My Documents\Outlook Files
2012-06-19 01:19 - 2011-12-13 00:23 - 00000000 ____D C:\Users\Patricia Ahearn\Documents\Outlook Files
2012-06-18 20:29 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-15 00:07 - 2012-06-15 00:07 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-14 18:42 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2012-06-14 17:26 - 2009-07-13 23:45 - 00531216 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 17:18 - 2011-12-13 00:01 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-14 17:18 - 2011-12-13 00:01 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-06-14 17:17 - 2009-07-14 00:13 - 00792488 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-14 17:13 - 2011-12-11 21:00 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-14 17:09 - 2011-10-20 08:05 - 00000000 ____D C:\Users\All Users\Skype
2012-06-14 17:09 - 2011-10-20 08:05 - 00000000 ____D C:\Users\All Users\Application Data\Skype
2012-06-10 17:46 - 2012-04-18 21:04 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-05-25 00:01 - 2012-04-26 02:17 - 00035328 ____A C:\Users\Patricia Ahearn\My Documents\Dinner.msg
2012-05-25 00:01 - 2012-04-26 02:17 - 00035328 ____A C:\Users\Patricia Ahearn\Documents\Dinner.msg
2012-05-24 23:03 - 2009-07-14 00:08 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-17 21:47 - 2012-06-14 17:07 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 21:16 - 2012-06-14 17:07 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 21:06 - 2012-06-14 17:07 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 20:59 - 2012-06-14 17:07 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 20:59 - 2012-06-14 17:07 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 20:58 - 2012-06-14 17:07 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 20:58 - 2012-06-14 17:07 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 20:56 - 2012-06-14 17:07 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 20:55 - 2012-06-14 17:07 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 20:55 - 2012-06-14 17:07 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 20:54 - 2012-06-14 17:07 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 20:51 - 2012-06-14 17:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 20:51 - 2012-06-14 17:07 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 20:47 - 2012-06-14 17:07 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 18:11 - 2012-06-14 17:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 17:48 - 2012-06-14 17:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 17:45 - 2012-06-14 17:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 17:36 - 2012-06-14 17:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 17:35 - 2012-06-14 17:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 17:35 - 2012-06-14 17:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 17:33 - 2012-06-14 17:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 17:31 - 2012-06-14 17:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 17:29 - 2012-06-14 17:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 17:29 - 2012-06-14 17:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 17:27 - 2012-06-14 17:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 17:25 - 2012-06-14 17:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 17:24 - 2012-06-14 17:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 17:20 - 2012-06-14 17:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-14 20:32 - 2012-06-14 04:18 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 02:08 - 2011-10-20 09:57 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-09 00:01 - 2011-12-18 21:10 - 00000649 ____A C:\Windows\ULEAD32.INI
2012-05-07 19:05 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\LiveKernelReports
2012-05-04 06:06 - 2012-06-14 04:18 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 05:03 - 2012-06-14 04:18 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 05:03 - 2012-06-14 04:18 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 04:20 - 2012-03-09 22:25 - 00000000 ____D C:\Users\Patricia Ahearn\My Documents\FAMILY PHOTOS
2012-05-01 04:20 - 2012-03-09 22:25 - 00000000 ____D C:\Users\Patricia Ahearn\Documents\FAMILY PHOTOS
2012-05-01 00:40 - 2012-06-14 04:18 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 16:50 - 2011-10-20 08:05 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-04-27 22:55 - 2012-06-14 04:18 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 00:41 - 2012-06-14 04:18 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 00:41 - 2012-06-14 04:18 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 00:34 - 2012-06-14 04:18 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 00:37 - 2012-06-14 04:18 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-24 00:37 - 2012-06-14 04:18 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-24 00:37 - 2012-06-14 04:18 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 23:36 - 2012-06-14 04:18 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-18 21:04 - 2012-04-05 20:34 - 00000000 ____D C:\Program Files\Dell Support Center
2012-04-18 21:04 - 2011-10-20 07:24 - 00000000 ____D C:\Users\All Users\Dell
2012-04-18 21:04 - 2011-10-20 07:24 - 00000000 ____D C:\Users\All Users\Application Data\Dell
2012-04-13 01:46 - 2009-07-13 21:34 - 00000510 ____A C:\Windows\win.ini
2012-04-07 07:31 - 2012-06-14 04:18 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 06:26 - 2012-06-14 04:18 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-04 00:56 - 2012-06-19 05:47 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-30 06:35 - 2012-05-10 23:28 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

ZeroAccess:
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U

ZeroAccess:
C:\Users\Patricia Ahearn\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 4004.27 MB
Available physical RAM: 3065.24 MB
Total Pagefile: 4002.47 MB
Available Pagefile: 3097.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:403.95 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:14.65 GB) (Free:5.76 GB) NTFS
3 Drive e: (Kingston) (Removable) (Total:14.95 GB) (Free:6.19 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 DELLUTILITY FAT Partition 100 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Recovery NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Kingston NTFS Removable 14 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-17 21:25

======================= End Of Log ==========================

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 21 June 2012 - 02:01 PM

Good evening. :)

Progress is always welcome. Let's see if we, that's me really, can figure out why your firewall is poorly.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

So long, and thanks for all the fish.

 

 


#9 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 22 June 2012 - 07:03 AM

Please see attached.

Farbar Service Scanner Version: 22-06-2012
Ran by Patricia Ahearn (administrator) on 22-06-2012 at 22:02:24
Running from "E:\"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Attached Files

  • Attached File  FSS.txt   2.86KB   0 downloads


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 23 June 2012 - 02:40 PM

Good evening. :)

Download RegQuery from here and save it to your Desktop.
  • Double click the file to run it.
  • Copy the following keyname to your clipboard - either CTRL + C or right click will do.

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
  • Click Paste from Clipboard and then Query.
  • A Notepad window should open with some text it - either that or you'll get a pop-up telling you to check the keyname.
  • Let me have the contents of the file in your next reply - you'll probably need to zip it up and attach it.

So long, and thanks for all the fish.

 

 


#11 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 23 June 2012 - 07:19 PM

Hi again,

Please find attached zip file as requested.

Thanks

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 25 June 2012 - 03:15 PM

Good evening. :)

I'd like you to do the following:

1) Disable UAC as described here. Once you have completed the regfix and checked that the PC has rebooted OK, then you can re-enable it.

2) Follow the instructions here to install and run ERUNT by Lars Hederer - you are free to choose whether to have ERUNT run each time Windows boots up during the installation - personally I don't, but it is really up to you.

Once you've done the above, should your PC behave a little oddly when you run the regfix below, navigate to the folder where the back-up is stored, C:\WINDOWS\ERDNT\date by default, and double click the file erdnt.exe located there.

Although you are unlikely to have any issues with the regfix, better safe than sorry.

3) Copy the contents of the following box into Notepad. (Start > All Programs > Accessories > Notepad)
Make sure that you have no blank lines at the beginning, and one blank line at the end:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\
4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\
00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\
7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
00,00,00

Save it to your Desktop with the following filename, including quotation marks:

"regfix.reg"

Locate Regfix.reg on your Desktop and double click it.
Click on Yes in the confirmation window.

4) Reboot your PC and tell me if the Security Centre is working now.

So long, and thanks for all the fish.

 

 


#13 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 26 June 2012 - 03:10 AM

Unfortunately this hasnít worked my firewall still isnít turned on.

I get the attached error message when I try and manually start the service in 'Services'

#14 demon8991

demon8991
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 26 June 2012 - 03:15 AM

I also ran the previous FSS & RegQuery after doing the RegFix, see attached.

Attached Files

  • Attached File  FSS.txt   2.49KB   2 downloads

Edited by demon8991, 26 June 2012 - 03:24 AM.


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 PM

Posted 26 June 2012 - 02:45 PM

Good evening. :)

Click the Start button and enter the following into the Search programs and files textbox: cmd
Hit <ENTER> and a Command Window should open.
Copy and paste the following into that and hit <ENTER>: sc query "MpsSvc" >> "%userprofile%\desktop\service query.txt"

I'd like the contents of service query.txt, which you should find on your Desktop, in your next reply - copy and paste is fine.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users