Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista automatic restart loop


  • This topic is locked This topic is locked
23 replies to this topic

#1 uncle_pat11

uncle_pat11

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 July 2012 - 03:33 PM

Hi,

I seem to have the same issue as this topic http://www.bleepingcomputer.com/forums/topic458990.html

After having uninstalled and reinstalled Microsoft Security Essentials, a scan found a virus/trojan and a message came up saying that Windows would automatically restart in one minute. The computer is now stuck in a loop of automatically restarting every time Windows opens. I've read the other topics on this and run the Farbar scan. I will put the log below. Any help would be greatly appreciated.

PS. I have no other computer at home, so there may be a day or two between me replying to any messages as I try to use either my friend's computer or my computer at work.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 July 2012 - 03:35 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 21-07-2012 20:47:32
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [142104 2007-05-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [154392 2007-05-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [138008 2007-05-25] (Intel Corporation)
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup [581632 2007-07-10] (TOSHIBA)
HKLM\...\Run: [Desktop SMS] C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe /auto [1507328 2007-06-18] (Interactive Digital Media)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [411192 2007-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [509496 2007-04-03] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [538744 2007-05-22] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [571024 2007-05-04] (Toshiba)
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-26] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Carl\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\Carl\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Carl\...\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Carl\...\Run: [Google Update] "C:\Users\Carl\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-06-07] (Google Inc.)
HKU\Carl\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [436088 2007-06-27] ()
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [436088 2007-06-27] ()
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk
ShortcutTarget: ExifLauncher2.lnk -> C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)

================================ Services (Whitelisted) ==================

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 GoToAssist; "C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe" Start=service [16680 2009-12-23] (Citrix Online, a division of Citrix Systems, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
2 TosCoSrv; "C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)

========================== Drivers (Whitelisted) =============

3 INQ1usbser; C:\Windows\System32\DRIVERS\INQ1usbser.sys [103680 2008-03-19] (AMOI Incorporated)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [252416 2007-06-01] (Realtek Semiconductor Corporation )
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-21 20:47 - 2012-07-21 20:47 - 00000000 ____D C:\FRST
2012-07-21 11:34 - 2012-07-21 11:34 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mtaxfhqz.sys
2012-07-17 11:23 - 2012-07-17 11:23 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ngqhrcyy.sys
2012-07-17 10:46 - 2012-07-17 10:46 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-17 10:38 - 2012-07-17 10:39 - 00000000 ____D C:\Users\Carl\AppData\Local\{9D33168B-8B8E-4347-B99E-2D03B48A8A86}
2012-07-17 10:38 - 2012-07-17 10:38 - 00000000 ____D C:\Users\Carl\AppData\Local\{0DFC07B1-01D5-4730-9D6D-EA85B4728315}
2012-07-16 06:32 - 2012-07-16 06:32 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-16 06:24 - 2012-07-16 06:24 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-16 02:19 - 2012-07-16 02:19 - 00000000 ____D C:\Users\Carl\AppData\Local\{F62E6F07-8FE9-46CC-85EB-F0210D597860}
2012-07-16 02:18 - 2012-07-16 02:19 - 00000000 ____D C:\Users\Carl\AppData\Local\{9209432B-D501-4D2D-B46A-D06BBB3B7489}
2012-07-15 05:57 - 2012-07-15 05:57 - 00000000 ____D C:\Users\Carl\AppData\Local\{A9A585BA-A490-4D70-AA19-3F3002373EA8}
2012-07-15 05:57 - 2012-07-15 05:57 - 00000000 ____D C:\Users\Carl\AppData\Local\{042E927D-B5A8-460E-A5DE-5FC038527845}
2012-07-12 01:41 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 01:37 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-12 01:37 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-12 01:37 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-12 01:37 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-12 01:37 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-12 01:37 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-12 01:37 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-12 01:37 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-12 01:37 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-12 01:37 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-12 01:37 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-12 01:37 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-12 01:37 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-12 01:37 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 01:33 - 2012-07-12 01:33 - 00000000 ____D C:\Users\Carl\AppData\Local\{91F49144-4CE4-4B77-825B-31C7CC6F7D5A}
2012-07-12 01:33 - 2012-07-12 01:33 - 00000000 ____D C:\Users\Carl\AppData\Local\{8E8F5DA4-D1C2-444B-82A7-23F425C11272}
2012-07-11 10:44 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 10:44 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 10:44 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 10:41 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 10:41 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 10:41 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 10:32 - 2012-07-11 10:32 - 00000000 ____D C:\Users\Carl\AppData\Local\{6065AB75-2A2B-4E25-99B6-12E648AEE76A}
2012-07-11 10:32 - 2012-07-11 10:32 - 00000000 ____D C:\Users\Carl\AppData\Local\{293B3522-35EB-4FEE-8C88-AF2F121171CE}
2012-07-10 10:42 - 2012-07-10 10:42 - 00000000 ____D C:\Users\Carl\AppData\Local\{F7943C69-12AA-474D-9D32-C90FA003EC1C}
2012-07-10 10:41 - 2012-07-10 10:42 - 00000000 ____D C:\Users\Carl\AppData\Local\{B9717675-473A-4D09-A791-BC9ABD0C8620}
2012-07-09 09:58 - 2012-07-09 09:58 - 00000000 ____D C:\Users\Carl\AppData\Local\{78F36842-B8A2-4548-9C79-C23EE3AB8ED2}
2012-07-09 09:58 - 2012-07-09 09:58 - 00000000 ____D C:\Users\Carl\AppData\Local\{6BABDE05-1539-43FE-B2AA-773CE4F01E1F}
2012-07-08 04:33 - 2012-07-08 04:34 - 00000000 ____D C:\Users\Carl\AppData\Local\{7E299426-46C3-4DD8-A209-637F8128DB3C}
2012-07-08 04:33 - 2012-07-08 04:33 - 00000000 ____D C:\Users\Carl\AppData\Local\{D2BA34FE-0581-4EBA-9C37-1F86F55AFB4A}
2012-07-08 04:11 - 2012-07-08 04:11 - 00000000 ____D C:\Users\Carl\AppData\Local\{8933F13C-025F-418E-85D6-A6E5A52B60A2}
2012-07-07 03:25 - 2012-07-07 03:26 - 00000000 ____D C:\Users\Carl\AppData\Local\{6C4490B3-6978-406E-A7E2-42CC3E6CCCFA}
2012-07-07 03:25 - 2012-07-07 03:25 - 00000000 ____D C:\Users\Carl\AppData\Local\{7FFE923A-5D44-4954-BF3C-BB12A4D2EF10}
2012-07-06 13:44 - 2012-07-06 13:44 - 00000000 ____D C:\Users\Carl\AppData\Local\{F4ABE983-D4E8-4623-9942-2101B054DD0B}
2012-07-06 13:43 - 2012-07-06 13:44 - 00000000 ____D C:\Users\Carl\AppData\Local\{82F57C80-CBCF-4C53-9552-EA4C4F98E13F}
2012-07-05 12:52 - 2012-07-05 12:52 - 00000000 ____D C:\Users\Carl\AppData\Local\{AA2676D1-7358-4968-BD4E-7EC482C25713}
2012-07-05 12:52 - 2012-07-05 12:52 - 00000000 ____D C:\Users\Carl\AppData\Local\{8B2BAB62-6F3E-47B6-A6AB-39E257323F8F}
2012-07-04 10:07 - 2012-07-04 10:07 - 00000000 ____D C:\Users\Carl\AppData\Local\{A467E110-3D83-4605-979F-995298D1F65B}
2012-07-04 10:07 - 2012-07-04 10:07 - 00000000 ____D C:\Users\Carl\AppData\Local\{49432018-5F83-4683-81FC-1FA90C8861DF}
2012-07-03 09:44 - 2012-07-03 09:44 - 00000000 ____D C:\Users\Carl\AppData\Local\{C83419F4-EC7B-4A2E-9562-9EF077F3817C}
2012-07-03 09:44 - 2012-07-03 09:44 - 00000000 ____D C:\Users\Carl\AppData\Local\{609F8FC8-F8B8-4606-8297-687D107EE84E}
2012-07-02 11:32 - 2012-07-02 11:32 - 00000000 ____D C:\Users\Carl\AppData\Local\{827C4BB6-6C11-4496-961D-7CC617859EBC}
2012-07-02 11:31 - 2012-07-02 11:32 - 00000000 ____D C:\Users\Carl\AppData\Local\{6DC002AD-E2BD-42BC-B39F-F2F2F5D0B9DA}
2012-07-01 05:59 - 2012-07-01 05:59 - 00000000 ____D C:\Users\Carl\AppData\Local\{939D407C-9537-4B74-8B92-D206592EDCB8}
2012-07-01 05:58 - 2012-07-01 05:59 - 00000000 ____D C:\Users\Carl\AppData\Local\{B0E49167-7751-41B6-8087-CED3D550FCCB}
2012-06-29 10:37 - 2012-06-29 10:38 - 00000000 ____D C:\Users\Carl\AppData\Local\{3916FBD6-1346-4063-8C52-4C6264631ADA}
2012-06-29 10:37 - 2012-06-29 10:37 - 00000000 ____D C:\Users\Carl\AppData\Local\{9160F464-FAFF-44EF-AA43-EEEE35464DC4}
2012-06-28 09:20 - 2012-06-28 09:20 - 00000000 ____D C:\Users\Carl\AppData\Local\{C55E072B-0658-4A88-A9F4-636BEE20DC9B}
2012-06-28 09:20 - 2012-06-28 09:20 - 00000000 ____D C:\Users\Carl\AppData\Local\{0CDF7169-595F-498B-B37F-5089236CDD57}
2012-06-27 11:22 - 2012-06-27 11:22 - 00000000 ____D C:\Users\Carl\AppData\Local\{8CAB41D0-4B8A-4DAF-B6BE-CF8AC10A52B9}
2012-06-27 11:22 - 2012-06-27 11:22 - 00000000 ____D C:\Users\Carl\AppData\Local\{66AC0F41-1A21-447A-B146-A0F0DC26A3F7}
2012-06-26 11:28 - 2012-06-26 11:28 - 00000000 ____D C:\Users\Carl\AppData\Local\{E5CE0356-9D49-4A46-860C-1274A01BD940}
2012-06-26 11:28 - 2012-06-26 11:28 - 00000000 ____D C:\Users\Carl\AppData\Local\{4429B71C-3C29-4B58-B498-3967C5DF7ABE}
2012-06-25 11:15 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-25 11:15 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-25 11:15 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-25 11:15 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-25 11:14 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-25 11:14 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-25 11:14 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-25 11:14 - 2012-06-02 06:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-25 11:14 - 2012-06-02 06:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-25 11:12 - 2012-06-25 11:12 - 00000000 ____D C:\Users\Carl\AppData\Local\{54AF0F0D-36D3-4BCA-B0E8-950F06A5C8E8}
2012-06-25 11:12 - 2012-06-25 11:12 - 00000000 ____D C:\Users\Carl\AppData\Local\{4A0BF007-F41F-4787-B019-5E6FCD1D1BDC}
2012-06-24 02:28 - 2012-06-24 02:28 - 00000000 ____D C:\Users\Carl\AppData\Local\{CC99CF3A-48A6-44DE-AFB8-E3597BEC030C}
2012-06-24 02:28 - 2012-06-24 02:28 - 00000000 ____D C:\Users\Carl\AppData\Local\{9F0686D9-C179-4EE2-BF3E-91D9C2F3D870}
2012-06-23 14:25 - 2012-06-23 14:25 - 00000000 ____D C:\Users\Carl\AppData\Local\{2C37123C-B6C1-4CF5-85A5-AABF2789064B}
2012-06-23 02:20 - 2012-06-23 02:20 - 00000000 ____D C:\Users\Carl\AppData\Local\{B65B396D-0746-4BB2-9722-9580C4382241}
2012-06-22 13:14 - 2012-06-22 13:14 - 00000000 ____D C:\Users\Carl\AppData\Local\{E479559B-9CEC-4B5C-81BD-9EC6D0C71E52}
2012-06-22 13:14 - 2012-06-22 13:14 - 00000000 ____D C:\Users\Carl\AppData\Local\{AE660700-1FA0-4501-9EFF-C0A5E1ADDB66}
2012-06-21 09:20 - 2012-06-21 09:21 - 00000000 ____D C:\Users\Carl\AppData\Local\{152C57E0-799C-4B80-877E-0E6F4DDE901A}
2012-06-21 09:20 - 2012-06-21 09:20 - 00000000 ____D C:\Users\Carl\AppData\Local\{40A30FBB-136C-4B79-AA20-666612A6C41E}

============ 3 Months Modified Files ========================

2012-07-21 11:34 - 2012-07-21 11:34 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\mtaxfhqz.sys
2012-07-21 11:34 - 2009-10-21 12:37 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-21 11:34 - 2006-11-02 04:52 - 00028187 ____A C:\Windows\setupact.log
2012-07-21 11:33 - 2012-02-19 04:55 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-21 11:33 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-21 11:33 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-21 11:33 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-17 11:23 - 2012-07-17 11:23 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ngqhrcyy.sys
2012-07-17 10:50 - 2007-12-27 07:11 - 01664278 ____A C:\Windows\WindowsUpdate.log
2012-07-17 10:48 - 2012-02-11 08:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-17 10:46 - 2006-11-02 02:33 - 00713158 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-17 10:43 - 2012-02-19 04:55 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-16 12:15 - 2006-11-02 05:01 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-16 12:06 - 2012-06-07 12:54 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-689935181-2168444996-169989891-1000UA.job
2012-07-16 06:24 - 2012-07-16 06:24 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-16 06:24 - 2011-05-13 12:20 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-15 06:04 - 2012-06-07 12:56 - 00002042 ____A C:\Users\Carl\Desktop\Google Chrome.lnk
2012-07-12 03:25 - 2006-11-02 04:47 - 00293400 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 01:38 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-11 14:38 - 2012-06-07 12:54 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-689935181-2168444996-169989891-1000Core.job
2012-07-01 12:25 - 2007-12-27 14:32 - 00150016 ____A C:\Users\Carl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-16 13:57 - 2012-06-16 13:57 - 00000680 ____A C:\Users\Carl\AppData\Local\d3d9caps.dat
2012-06-13 05:40 - 2012-07-12 01:41 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-11 10:44 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-07 12:54 - 2012-06-07 12:54 - 00739824 ____A (Google Inc.) C:\Users\Carl\Downloads\ChromeSetup.exe
2012-06-07 12:54 - 2012-06-07 12:54 - 00739824 ____A (Google Inc.) C:\Users\Carl\Downloads\ChromeSetup(2).exe
2012-06-05 08:47 - 2012-07-11 10:44 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-11 10:44 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-11 10:41 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-25 11:15 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 11:15 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 11:15 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 11:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 11:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-25 11:15 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-25 11:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 06:19 - 2012-06-25 11:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 06:12 - 2012-06-25 11:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-12 01:37 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-12 01:37 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-12 01:37 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-12 01:37 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-12 01:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 01:37 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-12 01:37 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-12 01:37 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 01:37 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 01:37 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-12 01:37 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-12 01:37 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 01:37 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 01:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 16:04 - 2012-07-11 10:41 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-11 10:41 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-01 06:03 - 2012-06-14 10:02 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-23 08:00 - 2012-06-14 10:02 - 00984064 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:00 - 2012-06-14 10:02 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:00 - 2012-06-14 10:02 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll

ZeroAccess:
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\@
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\L
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\n
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\L\00000004.@
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\L\1afb2d56
C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\L\201d3dde

ZeroAccess:
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\@
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\L
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\n
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U\00000004.@
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U\00000008.@
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U\000000cb.@
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U\80000000.@
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}\U\80000032.@

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 2037.81 MB
Available physical RAM: 1629.71 MB
Total Pagefile: 1814.79 MB
Available Pagefile: 1684.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (Vista) (Fixed) (Total:55.81 GB) (Free:14.6 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Data) (Fixed) (Total:54.51 GB) (Free:31.1 GB) NTFS
4 Drive f: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS
5 Drive g: () (Removable) (Total:7.26 GB) (Free:7.26 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 4537 KB
Disk 1 Online 7442 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 56 GB 1501 MB
Partition 3 Primary 55 GB 57 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F WinRE NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Vista NTFS Partition 56 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Data NTFS Partition 55 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7438 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 G FAT32 Removable 7438 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 10:45

======================= End Of Log ==========================

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 22 July 2012 - 06:25 PM

Greetings uncle_pat11 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 24 July 2012 - 11:08 AM

Greetings uncle_pat11,

Thank you for the information. I sincerely apologize for the delay. I thought I had posted the instructions already. :(

We are ready to begin cleaning your computer if you'd like after you consider the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Farbar's Recovery Scan Tool Search

--------------------

  • In Vista or Windows 7: Boot to System Recovery Options and run FRST.
  • Type the following in the edit box

    Search: services.exe
  • Click Search button and post the log (Search.txt) it makes to your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST search results

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 25 July 2012 - 02:28 AM

Hi, The search log is as follows:

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-10-21 12:37] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-06-24 09:15] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2009-10-21 12:37] - [2012-07-21 11:34] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

=== End Of Search ===

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 25 July 2012 - 10:25 AM

Greetings uncle_pat11,

Thank you for providing that important piece of information. One of the Windows files is in fact compromised and part of the source of your difficulties.

Please perform the following for me, if you would.


===================================================


Farbar's Recovery Scan Tool - Run Fix

--------------------

  • From a clean computer press the windows key Posted Image + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt

    C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}
    C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf}
    C:\Windows\assembly\GAC\Desktop.ini
    File: C:\Windows\System32\Drivers\mtaxfhqz.sys
    File: C:\Windows\System32\Drivers\ngqhrcyy.sys
    Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe
    
  • NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Fixlog.txt
  • How is your computer running now?

Edited by Oh My, 25 July 2012 - 12:12 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 26 July 2012 - 02:10 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-26 20:01:15 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf} moved successfully.
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

========================= File: C:\Windows\System32\Drivers\mtaxfhqz.sys ========================

MD5: DD0A8B0AA7791691FF597334708D9E8F
Creation and modification date: 2012-07-21 11:34 - 2012-07-21 11:34
Size: 0043480
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: BootTimeRemoval
Original Name: BTR.sys
Product Name: Microsoft Malware Protection
Description: Boot Time Removal Tool
File Version: 1.1.0019.0
Product Version: 1.1.0019.0
Copyright: © Microsoft Corporation. All rights reserved.

====== End Of File: ======

========================= File: C:\Windows\System32\Drivers\ngqhrcyy.sys ========================

MD5: DD0A8B0AA7791691FF597334708D9E8F
Creation and modification date: 2012-07-17 11:23 - 2012-07-17 11:23
Size: 0043480
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: BootTimeRemoval
Original Name: BTR.sys
Product Name: Microsoft Malware Protection
Description: Boot Time Removal Tool
File Version: 1.1.0019.0
Product Version: 1.1.0019.0
Copyright: © Microsoft Corporation. All rights reserved.

====== End Of File: ======
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

The computer has booted up fine and seems to be running ok, other than being a little slow (although that might just be because I've got used to my work computer over the last few days).

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 27 July 2012 - 07:59 AM

Greetings uncle_pat11,

Excellent results.

Let's take another picture of your computer. Please run the following for me.


===================================================


DDS by sUBs

--------------------

  • Please download DDS by sUBs from one of the following links. Save it to your desktop.

    * DDS.scr
    * DDS.pif

  • Double click on the Posted Image icon
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Two Notepad documents will open - DDS.txt and Attach.txt. Please copy and paste the results in your reply
  • Close the program window, and delete the program from your desktop
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • DDS.txt
  • Attach.txt
  • Have you noticed any issues in the past day?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 27 July 2012 - 10:39 AM

Hi,

Thanks for the advice so far. The problem started up when MSE was scanning. Would it be advisable to remove MSE and download a new A/V? If so, should I do that now or wait until we've cleaned things up a bit more?

Thanks

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 27 July 2012 - 11:09 AM

Greetings uncle_pat11,

The choice of which antivirus software to use is a personal one. 2 other good (free) ones are Avast and Avira. However, remaining protected goes beyond just installing an antivirus program and I will be providing additional information to you when we have finished cleaning your computer. Let's wait on any potential change of programs until after we have determined your computer is clean.

We are off to a good start. Once I am able to review the DDS and Attach logs we will have a better idea where we stand now and what other steps we might need to take.

Edited by Oh My, 27 July 2012 - 04:30 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 July 2012 - 04:46 AM

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Carl at 10:39:27 on 2012-07-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.830 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer, optimized for Bing and MSN
mDefault_Page_URL = hxxp://www.google.co.uk
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
{7febefe3-6b19-4349-98d2-ffb09d4b49ca}
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\carl\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Desktop SMS] c:\program files\idm\desktop sms\DesktopSMS.exe /auto
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [Skytel] Skytel.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DFA1451B-B972-43D9-AD3B-226FD4F23BD4} : DhcpNameServer = 192.168.1.254
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\carl\appdata\roaming\mozilla\firefox\profiles\ab3t2f3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://g.live.com/1rewlive4startup/home
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\carl\appdata\roaming\mozilla\firefox\profiles\ab3t2f3r.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\carl\appdata\roaming\mozilla\firefox\profiles\ab3t2f3r.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-19 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-9-19 252416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176]
S3 INQ1usbser;INQ1 USB Device for Legacy Serial Communication;c:\windows\system32\drivers\INQ1usbser.sys [2009-6-30 103680]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-4-2 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-23 7680]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-28 09:34:11 -------- d-----w- c:\users\carl\appdata\local\{EAEF3608-5140-4420-B3D9-6319031A278F}
2012-07-28 09:33:50 -------- d-----w- c:\users\carl\appdata\local\{D6B5424E-905A-40A1-94CC-2925C8F13C6F}
2012-07-26 19:05:08 -------- d-----w- c:\users\carl\appdata\local\{FA34C687-BB71-4841-9E07-A294038675C4}
2012-07-26 19:04:44 -------- d-----w- c:\users\carl\appdata\local\{4DBD712D-AFDB-4850-A4A8-EB9A120F7528}
2012-07-22 04:47:25 -------- d-----w- C:\FRST
2012-07-17 19:23:19 43480 ----a-w- c:\windows\system32\drivers\ngqhrcyy.sys
2012-07-17 18:51:58 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{511c0351-27a0-46b5-9af3-9b3dc25c406c}\offreg.dll
2012-07-17 18:51:10 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{284e0ef3-48e0-4dbd-914c-f4269b5519fb}\gapaengine.dll
2012-07-17 18:50:35 6891424 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{511c0351-27a0-46b5-9af3-9b3dc25c406c}\mpengine.dll
2012-07-17 18:46:21 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-17 18:38:56 -------- d-----w- c:\users\carl\appdata\local\{9D33168B-8B8E-4347-B99E-2D03B48A8A86}
2012-07-17 18:38:43 -------- d-----w- c:\users\carl\appdata\local\{0DFC07B1-01D5-4730-9D6D-EA85B4728315}
2012-07-16 14:32:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-16 14:24:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-16 10:19:11 -------- d-----w- c:\users\carl\appdata\local\{F62E6F07-8FE9-46CC-85EB-F0210D597860}
2012-07-16 10:18:59 -------- d-----w- c:\users\carl\appdata\local\{9209432B-D501-4D2D-B46A-D06BBB3B7489}
2012-07-15 13:57:19 -------- d-----w- c:\users\carl\appdata\local\{A9A585BA-A490-4D70-AA19-3F3002373EA8}
2012-07-15 13:57:06 -------- d-----w- c:\users\carl\appdata\local\{042E927D-B5A8-460E-A5DE-5FC038527845}
2012-07-12 09:41:17 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 09:33:30 -------- d-----w- c:\users\carl\appdata\local\{91F49144-4CE4-4B77-825B-31C7CC6F7D5A}
2012-07-12 09:33:18 -------- d-----w- c:\users\carl\appdata\local\{8E8F5DA4-D1C2-444B-82A7-23F425C11272}
2012-07-11 18:44:21 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 18:44:18 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:44:17 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:41:52 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:41:52 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 18:41:51 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:32:40 -------- d-----w- c:\users\carl\appdata\local\{293B3522-35EB-4FEE-8C88-AF2F121171CE}
2012-07-11 18:32:29 -------- d-----w- c:\users\carl\appdata\local\{6065AB75-2A2B-4E25-99B6-12E648AEE76A}
2012-07-10 18:42:09 -------- d-----w- c:\users\carl\appdata\local\{F7943C69-12AA-474D-9D32-C90FA003EC1C}
2012-07-10 18:41:44 -------- d-----w- c:\users\carl\appdata\local\{B9717675-473A-4D09-A791-BC9ABD0C8620}
2012-07-09 17:58:25 -------- d-----w- c:\users\carl\appdata\local\{78F36842-B8A2-4548-9C79-C23EE3AB8ED2}
2012-07-09 17:58:09 -------- d-----w- c:\users\carl\appdata\local\{6BABDE05-1539-43FE-B2AA-773CE4F01E1F}
2012-07-08 12:33:57 -------- d-----w- c:\users\carl\appdata\local\{7E299426-46C3-4DD8-A209-637F8128DB3C}
2012-07-08 12:33:45 -------- d-----w- c:\users\carl\appdata\local\{D2BA34FE-0581-4EBA-9C37-1F86F55AFB4A}
2012-07-08 12:11:48 -------- d-----w- c:\users\carl\appdata\local\{8933F13C-025F-418E-85D6-A6E5A52B60A2}
2012-07-07 11:25:57 -------- d-----w- c:\users\carl\appdata\local\{6C4490B3-6978-406E-A7E2-42CC3E6CCCFA}
2012-07-07 11:25:44 -------- d-----w- c:\users\carl\appdata\local\{7FFE923A-5D44-4954-BF3C-BB12A4D2EF10}
2012-07-06 21:44:02 -------- d-----w- c:\users\carl\appdata\local\{F4ABE983-D4E8-4623-9942-2101B054DD0B}
2012-07-06 21:43:50 -------- d-----w- c:\users\carl\appdata\local\{82F57C80-CBCF-4C53-9552-EA4C4F98E13F}
2012-07-05 20:52:40 -------- d-----w- c:\users\carl\appdata\local\{8B2BAB62-6F3E-47B6-A6AB-39E257323F8F}
2012-07-05 20:52:28 -------- d-----w- c:\users\carl\appdata\local\{AA2676D1-7358-4968-BD4E-7EC482C25713}
2012-07-04 18:07:12 -------- d-----w- c:\users\carl\appdata\local\{49432018-5F83-4683-81FC-1FA90C8861DF}
2012-07-04 18:07:00 -------- d-----w- c:\users\carl\appdata\local\{A467E110-3D83-4605-979F-995298D1F65B}
2012-07-03 17:44:26 -------- d-----w- c:\users\carl\appdata\local\{C83419F4-EC7B-4A2E-9562-9EF077F3817C}
2012-07-03 17:44:14 -------- d-----w- c:\users\carl\appdata\local\{609F8FC8-F8B8-4606-8297-687D107EE84E}
2012-07-02 19:32:01 -------- d-----w- c:\users\carl\appdata\local\{827C4BB6-6C11-4496-961D-7CC617859EBC}
2012-07-02 19:31:50 -------- d-----w- c:\users\carl\appdata\local\{6DC002AD-E2BD-42BC-B39F-F2F2F5D0B9DA}
2012-07-01 13:59:06 -------- d-----w- c:\users\carl\appdata\local\{939D407C-9537-4B74-8B92-D206592EDCB8}
2012-07-01 13:58:54 -------- d-----w- c:\users\carl\appdata\local\{B0E49167-7751-41B6-8087-CED3D550FCCB}
2012-06-29 18:37:56 -------- d-----w- c:\users\carl\appdata\local\{3916FBD6-1346-4063-8C52-4C6264631ADA}
2012-06-29 18:37:44 -------- d-----w- c:\users\carl\appdata\local\{9160F464-FAFF-44EF-AA43-EEEE35464DC4}
2012-06-28 17:20:40 -------- d-----w- c:\users\carl\appdata\local\{C55E072B-0658-4A88-A9F4-636BEE20DC9B}
2012-06-28 17:20:28 -------- d-----w- c:\users\carl\appdata\local\{0CDF7169-595F-498B-B37F-5089236CDD57}
.
==================== Find3M ====================
.
2012-07-16 14:24:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 10:42:58.10 ===============

#12 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 July 2012 - 04:50 AM

DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 27/12/2007 15:06:30
System Uptime: 28/07/2012 10:30:31 (0 hours ago)
.
Motherboard: Intel Corporation | | SANTA ROSA CRB
Processor: Intel® Pentium® Dual CPU T2310 @ 1.46GHz | U2E1 | 1067/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 56 GiB total, 15.213 GiB free.
E: is FIXED (NTFS) - 55 GiB total, 31.095 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player
Apple Application Support
Apple Software Update
CD/DVD Drive Acoustic Silencer
D3DX10
Desktop SMS
DVD MovieFactory for TOSHIBA
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
GearDrvs
Google Chrome
Google Update Helper
GoToAssist Corporate
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 31
Junk Mail filter update
Marvell Miniport Driver
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
QuickTime
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Segoe UI
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
28/07/2012 10:32:11, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
28/07/2012 10:32:11, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
28/07/2012 10:32:11, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
28/07/2012 10:32:11, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
26/07/2012 20:16:32, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.70.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
26/07/2012 20:02:20, Error: EventLog [6008] - The previous system shutdown at 20:33:44 on 21/07/2012 was unexpected.
21/07/2012 20:34:41, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.R&threatid=2147657890 Name: Virus:Win32/Sirefef.R ID: 2147657890 Severity: Severe Category: Virus Path: file:_C:\Windows\System32\services.exe;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:34:41, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AH&threatid=2147655284 Name: Trojan:Win32/Sirefef.AH ID: 2147655284 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:32:59, Error: EventLog [6008] - The previous system shutdown at 20:30:09 on 21/07/2012 was unexpected.
21/07/2012 20:30:52, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.R&threatid=2147657890 Name: Virus:Win32/Sirefef.R ID: 2147657890 Severity: Severe Category: Virus Path: file:_C:\Windows\System32\services.exe;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:30:52, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AH&threatid=2147655284 Name: Trojan:Win32/Sirefef.AH ID: 2147655284 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:29:38, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
21/07/2012 20:29:26, Error: EventLog [6008] - The previous system shutdown at 20:26:52 on 21/07/2012 was unexpected.
21/07/2012 20:27:21, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.R&threatid=2147657890 Name: Virus:Win32/Sirefef.R ID: 2147657890 Severity: Severe Category: Virus Path: file:_C:\Windows\System32\services.exe;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:27:21, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AH&threatid=2147655284 Name: Trojan:Win32/Sirefef.AH ID: 2147655284 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:26:02, Error: EventLog [6008] - The previous system shutdown at 20:23:02 on 21/07/2012 was unexpected.
21/07/2012 20:23:55, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.R&threatid=2147657890 Name: Virus:Win32/Sirefef.R ID: 2147657890 Severity: Severe Category: Virus Path: file:_C:\Windows\System32\services.exe;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:23:55, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AH&threatid=2147655284 Name: Trojan:Win32/Sirefef.AH ID: 2147655284 Severity: Severe Category: Trojan Path: containerfile:_C:\Windows\System32\services.exe;file:_C:\Windows\System32\services.exe->731;process:_pid:640 Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\system32\services.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.131.70.0, AS: 1.131.70.0, NIS: 11.159.0.0 Engine Version: AM: 1.1.8601.0, NIS: 2.0.8001.0
21/07/2012 20:22:18, Error: EventLog [6008] - The previous system shutdown at 19:24:26 on 19/07/2012 was unexpected.
.
==== End Of File ===========================

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:17 AM

Posted 28 July 2012 - 09:33 AM

Greetings uncle_pat11,

There are still some remnants of the ZeroAccess infection that we need to deal with. Please perform the following for me, if you would.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 July 2012 - 11:22 AM

ComboFix 12-07-27.03 - Carl 28/07/2012 16:59:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1072 [GMT 1:00]
Running from: c:\users\Carl\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1529.tmp
c:\users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE26.tmp
c:\users\Carl\AppData\Local\Temp\ppcrlui_3996_2
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
.
.
2012-07-28 09:53 . 2012-07-16 01:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1CF20248-2731-4C87-94CC-CB3835E77B9C}\mpengine.dll
2012-07-22 04:47 . 2012-07-22 04:47 -------- d-----w- C:\FRST
2012-07-17 19:23 . 2012-07-17 19:23 43480 ----a-w- c:\windows\system32\drivers\ngqhrcyy.sys
2012-07-17 18:51 . 2012-02-09 13:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{284E0EF3-48E0-4DBD-914C-F4269B5519FB}\gapaengine.dll
2012-07-17 18:50 . 2012-07-16 01:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-17 18:46 . 2012-07-17 18:46 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-16 14:32 . 2012-07-16 14:32 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-16 14:24 . 2012-07-16 14:24 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 09:41 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 18:44 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 18:44 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:44 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:41 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:41 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 18:41 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-16 14:24 . 2011-05-13 20:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-25 19:15 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-25 19:15 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-25 19:14 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-25 19:14 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-25 19:15 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-25 19:15 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-25 19:14 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-25 19:14 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-25 19:14 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-01 14:03 . 2012-06-14 18:02 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25 138008]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 1507328]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-04-03 509496]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-3-13 303104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-23 21:40 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-19 12:54]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-19 12:54]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-689935181-2168444996-169989891-1000Core.job
- c:\users\Carl\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-07 20:54]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-689935181-2168444996-169989891-1000UA.job
- c:\users\Carl\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-07 20:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Carl\AppData\Roaming\Mozilla\Firefox\Profiles\ab3t2f3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://g.live.com/1rewlive4startup/home
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3512)
c:\program files\IDM\Desktop SMS\oehook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\Windows Mail\WinMail.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
.
**************************************************************************
.
Completion time: 2012-07-28 17:20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-28 16:17
.
Pre-Run: 15,985,135,616 bytes free
Post-Run: 16,704,454,656 bytes free
.
- - End Of File - - D2D8686C0228FE479593E7AF5C38EAB4

#15 uncle_pat11

uncle_pat11
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 28 July 2012 - 11:24 AM

Hi,
Thanks again for your help. The computer seems to be running ok, no noticeable issues.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users