Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win64/sirefef.y and .b on Vista 64 bit


  • This topic is locked This topic is locked
8 replies to this topic

#1 bmalys

bmalys

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 20 July 2012 - 12:02 AM

Hello, my Norton antivirus subscription ran out last week and I switched to Microsoft Security Essentials. After installing it, I tried to update its definitions, but the computer began restarting after startup. I get the critical error message saying my computer will restart in one minute. This occurs in all 3 safe modes immediately after logging into Windows. MSE says I have win64/sirefef.y and win64/sirefef.b but it cannot remove them before shutdown occurs.

I have windows vista, 64 bit on the computer. My girlfriend has a laptop, so I'll be able to access the Internet directly while working on the infected computer. I looked at other posts on the forum and took the liberty of running frst64.exe and got the two logs everyone seems to ask for initially. They are posted below.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<FRST64.exe>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 20-07-2012 00:45:30
Running from F:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [Acer Empowering Technology Monitor] C:\Program Files\Acer\Empowering Technology\SysMonitor.exe [319488 2008-06-02] ()
HKLM\...\Run: [EmpoweringTechnology] C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe boot [319488 2008-06-02] ()
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)
HKLM-x32\...\Run: [PCMMediaSharing] "C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [204908 2008-05-20] ()
HKLM-x32\...\Run: [BkupTray] "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [28672 2008-04-25] ()
HKLM-x32\...\Run: [eRecoveryService] [x]
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Brian\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Brian\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Brian\...\Run: [Google Update] "C:\Users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-11] (Google Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2008-01-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Windchill ProductPoint Client Manager.lnk
ShortcutTarget: Windchill ProductPoint Client Manager.lnk -> C:\Windows\Installer\{371E8B48-2AF1-491B-8F35-BD60D18CB927}\PPS.ico ()
Startup: C:\Users\Brian\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 Acer HomeMedia Connect Service; "C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe" [269448 2008-05-20] (CyberLink)
2 BUNAgentSvc; "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [16384 2008-03-03] (NewTech Infosystems, Inc.)
2 eDataSecurity Service; "C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe" [500784 2008-07-29] (Egis Incorporated)
2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-06-02] ()
3 iPod Service; "C:\Program Files (x86)\iPod\bin\iPodService.exe" [660256 2010-04-28] (Apple Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NTISchedulerSvc; C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [131072 2008-04-25] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe" [241734 2008-06-13] ()
2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2012-01-22] (TomTom)

========================== Drivers (Whitelisted) =============

0 ahcix64s; C:\Windows\System32\Drivers\ahcix64s.sys [215568 2008-04-01] (AMD Technologies Inc.)
2 int15; C:\Windows\SysWow64\Drivers\int15.sys [15392 2008-06-02] (Acer, Inc.)
3 ITEIO.SYS; \??\c:\Windows\System32\drivers\ITEIO.sys [13144 2008-02-25] (Windows ® Codename Longhorn DDK provider)
3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-10-06] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [102600 2009-03-25] (McAfee, Inc.)
1 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [307400 2009-03-25] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\Drivers\mferkdk.sys [40904 2009-03-25] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\Drivers\mfesmfk.sys [49480 2009-03-25] (McAfee, Inc.)
3 MODEMCSA; C:\Windows\System32\Drivers\MODEMCSA.sys [24064 2008-01-20] (Microsoft Corporation)
0 PSDFilter; C:\Windows\System32\Drivers\PSDFilter.sys [22064 2008-07-29] (Egis Incorporated)
2 PSDNServ; C:\Windows\System32\Drivers\PSDNServ.sys [21040 2008-07-29] (Egis Incorporated)
2 psdvdisk; C:\Windows\System32\Drivers\psdvdisk.sys [60976 2008-07-29] (Egis Incorporated)
3 smserial; C:\Windows\System32\Drivers\smserial.sys [1453056 2007-02-01] (Motorola Inc.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [868848 2009-04-22] (Duplex Secure Ltd.)
0 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16384 2008-01-30] (NewTech Infosystems Corporation)
3 XBCD; C:\Windows\System32\Drivers\XBCD.sys [23936 2007-02-10] (Redcl0ud)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-20 00:45 - 2012-07-20 00:45 - 00000000 ____D C:\FRST
2012-07-19 20:07 - 2012-07-19 20:07 - 00265752 ____A C:\Windows\Minidump\Mini072012-01.dmp
2012-07-19 20:07 - 2012-07-19 20:07 - 00000000 ____D C:\Windows\Minidump
2012-07-19 20:06 - 2012-07-19 20:07 - 311827981 ____A C:\Windows\MEMORY.DMP
2012-07-19 19:45 - 2012-07-19 19:45 - 00001830 ____A C:\Users\Brian\Desktop\Microsoft Security Essentials.lnk
2012-07-19 19:24 - 2012-07-19 19:24 - 00000000 ____D C:\Users\Brian\Desktop\Microsoft Security Client
2012-07-19 19:15 - 2012-07-19 19:15 - 00000730 ____A C:\Users\Brian\Desktop\shutdown.lnk
2012-07-19 19:02 - 2012-07-19 19:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fnoiigeq.sys
2012-07-19 18:44 - 2012-01-31 01:59 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-07-19 18:37 - 2012-07-19 18:37 - 00005526 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-19 18:37 - 2012-07-19 18:37 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-19 18:37 - 2012-07-19 18:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-19 17:37 - 2012-07-19 17:37 - 00000000 ____D C:\Users\Brian\AppData\Roaming\InstallShield
2012-07-19 17:32 - 2012-07-19 19:06 - 00000000 ____D C:\Windows\pss
2012-07-19 17:28 - 2012-07-19 19:35 - 00002198 ____A C:\Windows\epplauncher.mif
2012-07-19 17:13 - 2012-07-19 17:14 - 12621696 ____A (Microsoft Corporation) C:\Users\Brian\Desktop\mseinstall (1).exe
2012-07-11 15:36 - 2012-07-19 18:46 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000UA.job
2012-07-11 15:36 - 2012-07-18 19:46 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000Core.job
2012-07-08 17:24 - 2012-07-18 15:45 - 00002619 ____A C:\Users\Brian\Desktop\Microsoft Word.lnk
2012-07-05 20:36 - 2012-07-05 20:36 - 00000126 ____A C:\Windows\wininit.ini
2012-07-04 17:14 - 2012-07-18 17:49 - 00000000 ____D C:\Users\Brian\Desktop\Sandy Bio
2012-06-24 23:20 - 2012-06-24 23:23 - 00000712 ____A C:\data

============ 3 Months Modified Files ========================

2012-07-19 20:41 - 2010-03-16 23:29 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-19 20:41 - 2008-01-20 18:49 - 00384512 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-19 20:40 - 2009-01-17 06:54 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2012-07-19 20:40 - 2008-08-20 11:16 - 00000147 ____A C:\Windows\SysWOW64\agent.log
2012-07-19 20:40 - 2008-01-20 19:26 - 07454734 ____A C:\Windows\PFRO.log
2012-07-19 20:40 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-19 20:40 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-19 20:40 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-19 20:35 - 2010-03-16 23:29 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-19 20:07 - 2012-07-19 20:07 - 00265752 ____A C:\Windows\Minidump\Mini072012-01.dmp
2012-07-19 20:07 - 2012-07-19 20:06 - 311827981 ____A C:\Windows\MEMORY.DMP
2012-07-19 19:45 - 2012-07-19 19:45 - 00001830 ____A C:\Users\Brian\Desktop\Microsoft Security Essentials.lnk
2012-07-19 19:35 - 2012-07-19 17:28 - 00002198 ____A C:\Windows\epplauncher.mif
2012-07-19 19:15 - 2012-07-19 19:15 - 00000730 ____A C:\Users\Brian\Desktop\shutdown.lnk
2012-07-19 19:02 - 2012-07-19 19:02 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fnoiigeq.sys
2012-07-19 18:46 - 2012-07-11 15:36 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000UA.job
2012-07-19 18:38 - 2009-01-17 06:46 - 01441654 ____A C:\Windows\WindowsUpdate.log
2012-07-19 18:37 - 2012-07-19 18:37 - 00005526 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-19 18:11 - 2006-11-02 04:46 - 00005336 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-19 18:04 - 2010-01-15 14:14 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-07-19 18:04 - 2006-11-02 07:42 - 00032548 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-19 17:14 - 2012-07-19 17:13 - 12621696 ____A (Microsoft Corporation) C:\Users\Brian\Desktop\mseinstall (1).exe
2012-07-18 19:46 - 2012-07-11 15:36 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000Core.job
2012-07-18 15:45 - 2012-07-08 17:24 - 00002619 ____A C:\Users\Brian\Desktop\Microsoft Word.lnk
2012-07-05 20:36 - 2012-07-05 20:36 - 00000126 ____A C:\Windows\wininit.ini
2012-07-02 23:19 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-24 23:23 - 2012-06-24 23:20 - 00000712 ____A C:\data
2012-06-18 20:49 - 2012-02-14 09:29 - 00001940 ____A C:\Users\Public\Desktop\Tutor.com Classroom.lnk
2012-06-14 20:33 - 2008-08-20 11:22 - 00029008 ____A C:\Users\Public\eDSMSNLoader32.log
2012-05-30 06:32 - 2006-11-02 07:21 - 00312472 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-12 10:03 - 2011-04-26 22:05 - 00183296 ____A C:\Users\Brian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-30 07:48 - 2011-04-26 23:07 - 00071536 ____A C:\Users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-26 16:34 - 2012-04-26 16:34 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-04-26 16:34 - 2012-04-26 16:34 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-04-26 16:34 - 2012-04-26 16:34 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-04-26 16:34 - 2012-04-26 16:34 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-04-26 16:33 - 2012-04-26 16:34 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-04-22 18:35 - 2006-11-02 07:27 - 00059628 ____A C:\Windows\setupact.log

ZeroAccess:
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\@
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\L
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\n
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\U
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\U\00000001.@

ZeroAccess:
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\@
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\L
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\U
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}\U\00000001.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BA539D2CE99C05A180EC518EA2040D6A ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3838.38 MB
Available physical RAM: 3396.08 MB
Total Pagefile: 3714.31 MB
Available Pagefile: 3475.67 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:232.59 GB) (Free:58.63 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:348.93 GB) (Free:175.27 GB) NTFS
4 Drive f: () (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
9 Drive x: (PQSERVICE) (Fixed) (Total:14.65 GB) (Free:1.41 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 1340 KB
Disk 1 Online 3836 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 15 GB 32 KB
Partition 2 Primary 233 GB 15 GB
Partition 3 Primary 349 GB 247 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 X PQSERVICE NTFS Partition 15 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 C ACER NTFS Partition 233 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D DATA NTFS Partition 349 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3828 MB 19 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3828 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-19 18:21

======================= End Of Log ==========================




<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<SEARCH.TXT>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.


Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 2012-07-20 00:46:50
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2008-01-20 18:49] - [2012-07-19 20:41] - 0384512 ____A (Microsoft Corporation) BA539D2CE99C05A180EC518EA2040D6A

C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-23 15:54] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-23 15:55] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

====== End Of Search ======

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:12 PM

Posted 20 July 2012 - 11:36 AM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48}
replace: C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 bmalys

bmalys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 20 July 2012 - 08:09 PM

The automatic restart has stopped, so it looks like the major problem has been taken care of. Here are the logs from the last post. Thanks for the quick response to my initial post.

<<<<<<<<<<<<<<<<<<<<<<<<<<FIXLOG from FRST>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 02
Ran by SYSTEM at 2012-07-20 19:37:02 Run:1
Running from D:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48} moved successfully.
C:\Users\Brian\AppData\Local\{d2eb99c7-a410-ae99-9ea5-dc70809c9b48} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\SoftwareDistribution\Download\d15e0adcf011f7a00bde2023e8b74a00\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<log from combofix>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


ComboFix 12-07-20.02 - Brian 07/20/2012 19:55:35.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3838.2503 [GMT -4:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian\AppData\Roaming\.#
c:\windows\SysWow64\briblo dir
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-06-21 to 2012-07-21 )))))))))))))))))))))))))))))))
.
.
2012-07-21 00:05 . 2012-07-21 00:54 -------- d-----w- c:\users\Brian\AppData\Local\temp
2012-07-21 00:05 . 2012-07-21 00:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-20 08:45 . 2012-07-20 08:45 -------- d-----w- C:\FRST
2012-07-20 03:02 . 2012-07-20 03:02 50392 ----a-w- c:\windows\system32\drivers\fnoiigeq.sys
2012-07-20 02:44 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-07-20 02:44 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F73A35-D6C1-4CA7-B275-9AC93B914EA5}\gapaengine.dll
2012-07-20 02:44 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ADCFC388-9A9F-4581-B1EA-0D1213167B35}\mpengine.dll
2012-07-20 02:44 . 2012-01-31 09:59 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-07-20 02:37 . 2012-07-20 02:37 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-20 02:37 . 2012-07-20 02:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-20 01:37 . 2012-07-20 01:37 -------- d-----w- c:\users\Brian\AppData\Roaming\InstallShield
2012-07-11 23:37 . 2012-07-11 23:37 -------- d-----w- c:\users\Brian\AppData\Local\Programs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 07:19 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-04-27 00:34 . 2012-04-27 00:34 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-04-27 00:33 . 2012-04-27 00:34 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:52 121392 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PCMMediaSharing"="c:\program files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
"BkupTray"="c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windchill ProductPoint Client Manager.lnk - c:\windows\Installer\{371E8B48-2AF1-491B-8F35-BD60D18CB927}\PPS.ico [2011-12-1 7782]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-21 269448]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-17 07:29]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-17 07:29]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000Core.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-11 23:36]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-336939099-834528696-3004532322-1000UA.job
- c:\users\Brian\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-11 23:36]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:53 50736 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-05-20 6296064]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp64&d=0109&m=aspire_m3201
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp64&d=0109&m=aspire_m3201
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-eRecoveryService - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-CoreAAC Audio Decoder - c:\windows\system32\CoreAAC-uninstall.exe
AddRemove-Fading Text Screen Saver_is1 - c:\windows\system32\unins000.exe
AddRemove-FoxyTunesForFirefox - c:\program files (x86)\Mozilla Firefox\firefox.exe
AddRemove-Ogg Converter_is1 - c:\program files (x86)\Free Mp3WmaOgg Converter\unins000.exe
AddRemove-Frets on Fire - c:\program files (x86)\Frets on Fire\Uninstall.exe
AddRemove-PlugY, The Survival Kit - d:\diablo ii\Mod PlugY\PlugY Uninstaller.exe
AddRemove-Resize-O-Matic - c:\windows\system32\uninst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-Tag and M3U_is1 - c:\program files (x86)\TagM3U\unins000.exe
AddRemove-WhiteCap - c:\program files (x86)\SoundSpectrum\WhiteCap\Uninstall.exe
AddRemove-{08234a0d-cf39-4dca-99f0-0c5cb496da81} - c:\program files (x86)\Bing Bar Installer\InstallManager.exe
AddRemove-{6304587B-3C05-4031-A8E7-7938CB9162E7}_is1 - c:\program files (x86)\meta-iPod
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-336939099-834528696-3004532322-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:83,02,82,6d,13,f4,b4,64,53,d5,8c,7b,84,ec,6e,3d,1a,23,91,3d,f6,17,8b,
d6,57,7b,da,d1,25,99,c2,f9,76,8e,8b,6e,c5,58,72,e3,10,a4,83,9b,bd,46,30,5b,\
"??"=hex:f9,3a,9c,79,87,5e,05,fb,0b,f2,2e,13,43,09,e8,25
.
[HKEY_USERS\S-1-5-21-336939099-834528696-3004532322-1000\Software\SecuROM\License information*]
"datasecu"=hex:32,6c,6b,f9,48,31,9c,b8,5e,5f,25,e7,6e,f7,f7,fa,61,5f,f1,ea,1e,
e0,f3,3c,c4,db,da,a8,ff,f1,82,c8,13,23,c8,cb,64,7e,cf,95,a7,91,d5,69,e4,42,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
.
**************************************************************************
.
Completion time: 2012-07-20 20:57:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-21 00:57
.
Pre-Run: 63,710,547,968 bytes free
Post-Run: 64,101,380,096 bytes free
.
- - End Of File - - BC0B6F956B389815D386A5E67D245056

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:12 PM

Posted 20 July 2012 - 08:14 PM

looking better, but I'd like to run a couple more scans just to make sure we get any leftovers

please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 bmalys

bmalys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 21 July 2012 - 08:37 PM

Here is the Malware report and the ESET report

<<<<<<<<<<<<<<<<MALWARE>>>>>>>>>>>>>>>>>>>>>>


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.21.09

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
Brian :: MALYS-PC [administrator]

Protection: Enabled

7/21/2012 12:53:38 PM
mbam-log-2012-07-21 (12-53-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194305
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



<<<<<<<<<<<<<<<<ESET>>>>>>>>>>>>>>>>>>>>>>


C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Trial Creator\Export\SoftDMA_Trial\Autorun.inf INF/Autorun.gen worm

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:12 PM

Posted 21 July 2012 - 08:57 PM

the ESET detection isn't anything to worry about.

NEXT

Go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT

please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 bmalys

bmalys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 23 July 2012 - 12:41 PM

Everything seems to be running properly. WSE ran a scan and came back totally clean and it has not rebooted unexpectedly. Thanks you very much for you help!

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:12 PM

Posted 23 July 2012 - 12:47 PM

please make sure that your Windows Updates is working properly as this infection has been breaking that service on some machines lately

if all is ok then we can proceed to clean up our tools

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:12 PM

Posted 29 July 2012 - 04:36 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users