Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef, .R, and .AC - caught in startup loop, Windows Vista 32


  • This topic is locked This topic is locked
6 replies to this topic

#1 Bugaroo

Bugaroo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 22 July 2012 - 12:21 PM

What a fantastic resource! Our old Dell is infected, Security Essentials lists Sirefef, sirefef.R, and sirefef.AC before the computer restarts itself with the "Critical Error!" etc.

The contents from the log file from running Farbar Recovery Scan Tool are below. Hopefully this is enough to get started? Any help at all that you can give me is much appreciated. Thank you in advance!

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 22-07-2012 13:10:48
Running from G:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe [17920 2007-05-24] ( )
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM\...\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKLM\...\Run: [Essential Fax Print Controller] "C:\Program Files\EssentialFax\essfaxcontrol.exe" [94208 2009-01-12] ()
HKLM\...\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)
HKLM\...\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-02-26] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-02-26] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-02-26] (Intel Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2638152 2011-06-30] (Seagate)
HKLM\...\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [395152 2011-06-30] (Seagate)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Default\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\SarahT\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\SarahT\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
HKU\SarahT\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\SarahT\...\Run: [Google Update] "C:\Users\SarahT\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2009-11-02] (Google Inc.)
HKU\SarahT\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\SarahT\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)
HKU\SarahT\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17344176 2012-06-05] (Skype Technologies S.A.)
HKU\UpdatusUser\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\UpdatusUser\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\Users\SarahT\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 AERTFilters; C:\Windows\System32\AERTSrv.exe [77824 2007-12-05] (Andrea Electronics Corporation)
3 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com)
3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2007-03-19] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 gupdate1c98fdb9b2368ba; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-02-15] (Google Inc.)
3 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [121360 2008-05-01] (Logitech, Inc.)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-07-18] (Mozilla Foundation)
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2348352 2012-02-29] (NVIDIA Corporation)
2 SgtSch2Svc; "C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe" [845808 2011-06-30] (Seagate)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-05] (Skype Technologies)
2 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [382272 2012-02-29] (NVIDIA Corporation)
2 Stuffit Archive Name Service; "C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe" [157000 2007-10-08] (Smith Micro Software, Inc.)
2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-17] (Logitech Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [x]

========================== Drivers (Whitelisted) =============

3 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()
2 elagopro; C:\Windows\System32\DRIVERS\elagopro.sys [28672 2007-03-22] (Gteko Ltd.)
2 elaunidr; C:\Windows\System32\DRIVERS\elaunidr.sys [5376 2007-03-22] (Gteko Ltd.)
3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [28944 2008-02-29] (Logitech, Inc.)
3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [13976 2009-04-30] (Logitech Inc.)
3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)
0 timounter; C:\Windows\System32\DRIVERS\timntr.sys [601408 2012-06-28] (Acronis)
0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [125472 2012-06-28] (Acronis)
0 vidsflt53; C:\Windows\System32\DRIVERS\vsflt53.sys [83392 2012-06-28] (Acronis)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
0 pwhsugq; C:\Windows\System32\drivers\mbji.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-22 13:10 - 2012-07-22 13:10 - 00000000 ____D C:\FRST
2012-07-21 12:20 - 2012-07-21 12:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-21 12:15 - 2012-07-21 12:15 - 10288512 ____A (Microsoft Corporation) C:\Users\SarahT\Downloads\mseinstall (1).exe
2012-07-21 12:06 - 2012-07-21 12:07 - 05154304 ____A C:\Users\SarahT\Downloads\WindowsDefender (1).msi
2012-07-21 09:23 - 2012-07-21 09:24 - 00000000 ____D C:\Program Files\Microsoft Security Client(1)
2012-07-20 12:54 - 2012-07-20 12:54 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\SarahT\Downloads\tdsskiller.exe
2012-07-15 15:36 - 2012-07-15 15:36 - 00883616 ____A (Bleeping Computer, LLC) C:\Users\SarahT\Downloads\FixExec.com
2012-07-15 15:02 - 2012-07-15 15:02 - 00000121 ____A C:\Users\SarahT\AppData\Roaming\mbam.context.scan
2012-07-15 14:54 - 2012-07-15 14:54 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-15 14:46 - 2012-07-15 15:02 - 00000000 ____D C:\Users\All Users\036DFF98030516F319D56AA82F3B707C
2012-07-15 14:46 - 2012-07-15 14:46 - 00000000 ____D C:\Users\SarahT\AppData\Local\{E09A8F02-CECE-11E1-8270-B8AC6F996F26}
2012-06-28 14:45 - 2012-06-28 14:45 - 00000000 ____D C:\Users\SarahT\AppData\Roaming\Seagate
2012-06-28 14:41 - 2012-06-28 14:41 - 00000000 ____D C:\Users\All Users\Seagate
2012-06-28 14:40 - 2012-06-28 14:40 - 00601408 ____A (Acronis) C:\Windows\System32\Drivers\timntr.sys
2012-06-28 14:40 - 2012-06-28 14:40 - 00001018 ____A C:\Users\Public\Desktop\Seagate DiscWizard.lnk
2012-06-28 14:39 - 2012-06-28 14:39 - 00169088 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-06-28 14:39 - 2012-06-28 14:39 - 00125472 ____A (Acronis) C:\Windows\System32\Drivers\vididr.sys
2012-06-28 14:39 - 2012-06-28 14:39 - 00083392 ____A (Acronis) C:\Windows\System32\Drivers\vsflt53.sys
2012-06-28 14:39 - 2012-06-28 14:39 - 00000000 ____D C:\Program Files\Common Files\Acronis
2012-06-28 14:38 - 2012-06-28 14:38 - 00000000 ____D C:\Program Files\Seagate
2012-06-28 14:38 - 2012-06-28 14:38 - 00000000 ____D C:\Program Files\Common Files\Seagate
2012-06-26 04:03 - 2012-06-26 04:03 - 00000000 ____D C:\Users\SarahT\AppData\Local\Macromedia

============ 3 Months Modified Files ========================

2012-07-22 09:07 - 2009-07-01 04:11 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-22 09:07 - 2006-11-02 05:01 - 00032596 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-22 09:07 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-22 09:07 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-22 09:07 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-22 05:20 - 2009-06-05 03:51 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-21 17:34 - 2009-07-01 04:11 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-21 15:33 - 2006-11-02 02:22 - 55128064 ____A C:\Windows\System32\config\software_previous
2012-07-21 15:33 - 2006-11-02 02:22 - 27787264 ____A C:\Windows\System32\config\system_previous
2012-07-21 15:27 - 2006-11-02 02:22 - 37748736 ____A C:\Windows\System32\config\components_previous
2012-07-21 15:27 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-21 12:22 - 2007-10-15 07:58 - 01855435 ____A C:\Windows\WindowsUpdate.log
2012-07-21 12:21 - 2011-01-27 14:22 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-21 12:21 - 2006-11-02 02:33 - 00721122 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-21 12:15 - 2012-07-21 12:15 - 10288512 ____A (Microsoft Corporation) C:\Users\SarahT\Downloads\mseinstall (1).exe
2012-07-21 12:09 - 2008-01-17 04:08 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-07-21 12:07 - 2012-07-21 12:06 - 05154304 ____A C:\Users\SarahT\Downloads\WindowsDefender (1).msi
2012-07-21 11:57 - 2010-01-07 11:45 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3816995528-2130414897-4040662352-1000UA.job
2012-07-21 11:23 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous
2012-07-21 11:23 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-20 18:24 - 2010-01-07 11:45 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3816995528-2130414897-4040662352-1000Core.job
2012-07-20 12:54 - 2012-07-20 12:54 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\SarahT\Downloads\tdsskiller.exe
2012-07-20 12:06 - 2009-03-24 13:50 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-07-20 05:02 - 2012-04-04 16:11 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-07-19 16:46 - 2012-04-30 03:16 - 00010260 ____A C:\Windows\PFRO.log
2012-07-19 10:14 - 2010-10-05 14:33 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-07-15 15:37 - 2008-12-14 10:04 - 00000680 ____A C:\Users\SarahT\AppData\Local\d3d9caps.dat
2012-07-15 15:36 - 2012-07-15 15:36 - 00883616 ____A (Bleeping Computer, LLC) C:\Users\SarahT\Downloads\FixExec.com
2012-07-15 15:02 - 2012-07-15 15:02 - 00000121 ____A C:\Users\SarahT\AppData\Roaming\mbam.context.scan
2012-06-30 06:24 - 2012-04-04 16:11 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-06-29 17:44 - 2012-04-23 12:52 - 00002641 ____A C:\Windows\setupact.log
2012-06-28 17:25 - 2007-10-20 11:08 - 00200192 ____A C:\Users\SarahT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-28 14:40 - 2012-06-28 14:40 - 00601408 ____A (Acronis) C:\Windows\System32\Drivers\timntr.sys
2012-06-28 14:40 - 2012-06-28 14:40 - 00001018 ____A C:\Users\Public\Desktop\Seagate DiscWizard.lnk
2012-06-28 14:39 - 2012-06-28 14:39 - 00169088 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-06-28 14:39 - 2012-06-28 14:39 - 00125472 ____A (Acronis) C:\Windows\System32\Drivers\vididr.sys
2012-06-28 14:39 - 2012-06-28 14:39 - 00083392 ____A (Acronis) C:\Windows\System32\Drivers\vsflt53.sys
2012-06-26 03:38 - 2012-04-07 12:21 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-26 03:38 - 2011-06-17 03:18 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-23 06:01 - 2010-10-02 11:21 - 00087813 ____A C:\Windows\System32\lvcoinst.log
2012-06-17 16:38 - 2012-06-17 16:32 - 151266368 ____A (Seagate) C:\Users\SarahT\Downloads\DiscWizardSetup.en.exe
2012-06-15 03:41 - 2006-11-02 04:47 - 00374176 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 14:15 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-02 14:19 - 2012-06-19 03:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-19 03:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-19 03:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-19 03:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-19 03:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-19 03:19 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-19 03:19 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-19 03:18 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-19 03:18 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-21 16:27 - 2012-05-21 16:26 - 11223270 ____A C:\Users\SarahT\Downloads\om_en.zip
2012-05-21 15:30 - 2007-10-21 06:33 - 00000076 ____A C:\Windows\QUICKEN.INI
2012-05-20 16:43 - 2007-11-06 16:01 - 00000256 ____A C:\Windows\setup.iss
2012-05-20 16:36 - 2012-05-20 16:36 - 00085860 ____A C:\Users\SarahT\Documents\cc_20120520_203630.reg
2012-05-17 15:11 - 2012-06-14 14:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-14 14:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-14 14:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-14 14:06 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-14 14:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-14 14:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-14 14:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-14 14:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-14 14:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-14 14:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-14 14:06 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-14 14:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-14 14:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-14 14:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 11:51 - 2012-06-14 14:03 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-13 13:16 - 2012-05-13 13:14 - 00004342 ____A C:\Windows\LDPINST.LOG
2012-05-01 06:03 - 2012-06-14 14:04 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\@
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\L
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\U
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\U\00000001.@

ZeroAccess:
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\@
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\L
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 2045.56 MB
Available physical RAM: 1638.6 MB
Total Pagefile: 1977.45 MB
Available Pagefile: 1721.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:900.1 GB) (Free:760.27 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS) (Fixed) (Total:288.04 GB) (Free:5.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (RECOVERY) (Fixed) (Total:10 GB) (Free:2.52 GB) NTFS
5 Drive g: () (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT
6 Drive x: (RECOVERY) (Fixed) (Total:31.25 GB) (Free:25.24 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 437 KB
Disk 1 Online 932 GB 993 KB
Disk 2 Online 984 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 55 MB 32 KB
Partition 2 Primary 10 GB 55 MB
Partition 3 Primary 288 GB 10 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 55 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D OS NTFS Partition 288 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 165 MB 1024 KB
Partition 2 Primary 31 GB 166 MB
Partition 3 Primary 900 GB 31 GB

==================================================================================

Disk: 1
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT Partition 165 MB Healthy Hidden

==================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 31 GB Healthy Boot

==================================================================================

Disk: 1
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 900 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 983 MB 760 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 G FAT Removable 983 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-21 12:25

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 22 July 2012 - 06:24 PM

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad).
Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it on the flashdrive as fixlist.txt

start
0 pwhsugq; C:\Windows\System32\drivers\mbji.sys [x]
2012-07-15 14:46 - 2012-07-15 15:02 - 00000000 ____D C:\Users\All Users\036DFF98030516F319D56AA82F3B707C
2012-07-15 14:46 - 2012-07-15 14:46 - 00000000 ____D C:\Users\SarahT\AppData\Local\{E09A8F02-CECE-11E1-8270-B8AC6F996F26}
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command PromptRun FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • While you are still booted into System Recovery Options run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

    Click Search button and post the log it makes to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Bugaroo

Bugaroo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 22 July 2012 - 09:15 PM

Thank you for your help!

I hope I didn't mess up - I missed the "run Fix" the first time through the instructions and just did the search - then ran the fix and then reran the search.

Results of fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-22 21:31:17 Run:1
Running from G:\

==============================================

pwhsugq service deleted successfully.
C:\Users\All Users\036DFF98030516F319D56AA82F3B707C moved successfully.
C:\Users\SarahT\AppData\Local\{E09A8F02-CECE-11E1-8270-B8AC6F996F26} moved successfully.
C:\Windows\Installer\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d} moved successfully.
C:\Users\SarahT\AppData\Local\{5e1e789d-502f-3ee0-68d6-c56f063b8d8d} moved successfully.

==== End of Fixlog ====


Results of Search.txt:

Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-22 21:31:31
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-06-05 03:51] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-06-12 12:45] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2009-06-05 03:51] - [2012-07-22 05:20] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

=== End Of Search ===

Upon rebooting normally, I received the same "Critical Error" message. I was able to disable Microsoft Security Essentials, but was not able to completely run ComboFix.exe before the computer rebooted. I tried to run it again once the computer rebooted, and received the same "Critical Error". Also, the Microsoft Essentials seems to continue to detect threats despite following the instructions and turning off realtime protection. Turning off realtime protection seemed to make the Critical Error reports stop, but ComboFix still detected it scanning. In the end, I uninstalled it altogether before running ComboFix.

Combofix log file results:

ComboFix 12-07-21.01 - SarahT 07/22/2012 21:53:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1159 [GMT -4:00]
Running from: c:\users\SarahT\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\SarahT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\SarahT\g2mdlhlpx.exe
c:\windows\system32\SETA4EC.tmp
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))
.
.
2012-07-23 02:02 . 2012-07-23 02:05 -------- d-----w- c:\users\SarahT\AppData\Local\temp
2012-07-23 02:02 . 2012-07-23 02:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-23 02:02 . 2012-07-23 02:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-22 21:10 . 2012-07-22 21:10 -------- d-----w- C:\FRST
2012-07-21 17:23 . 2012-07-21 17:24 -------- d-----w- c:\program files\Microsoft Security Client(1)
2012-07-15 22:54 . 2012-07-15 22:54 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-28 22:45 . 2012-06-28 22:45 -------- d-----w- c:\users\SarahT\AppData\Roaming\Seagate
2012-06-28 22:41 . 2012-06-28 22:41 -------- d-----w- c:\programdata\Seagate
2012-06-28 22:40 . 2012-06-28 22:40 601408 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-06-28 22:39 . 2012-06-28 22:39 125472 ----a-w- c:\windows\system32\drivers\vididr.sys
2012-06-28 22:39 . 2012-06-28 22:39 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys
2012-06-28 22:39 . 2012-06-28 22:39 169088 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-06-28 22:39 . 2012-06-28 22:39 -------- d-----w- c:\program files\Common Files\Acronis
2012-06-28 22:38 . 2012-06-28 22:38 -------- d-----w- c:\program files\Seagate
2012-06-28 22:38 . 2012-06-28 22:38 -------- d-----w- c:\program files\Common Files\Seagate
2012-06-26 12:03 . 2012-06-26 12:03 -------- d-----w- c:\users\SarahT\AppData\Local\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 11:38 . 2012-04-07 20:21 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-26 11:38 . 2011-06-17 11:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-19 11:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 11:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 11:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 11:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 11:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 11:19 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 11:19 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-19 11:18 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-19 11:18 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-17 22:45 . 2012-06-14 22:06 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35 . 2012-06-14 22:06 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35 . 2012-06-14 22:06 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29 . 2012-06-14 22:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24 . 2012-06-14 22:06 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 19:51 . 2012-06-14 22:03 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-05-01 14:03 . 2012-06-14 22:04 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-18 18:16 . 2012-05-21 23:12 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-05 17344176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Essential Fax Print Controller"="c:\program files\EssentialFax\essfaxcontrol.exe" [2009-01-12 94208]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2011-06-30 2638152]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2011-06-30 395152]
.
c:\users\SarahT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-15 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-2 805392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-20 17:15]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 02:09]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-16 02:09]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3816995528-2130414897-4040662352-1000Core.job
- c:\users\SarahT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-07 22:16]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3816995528-2130414897-4040662352-1000UA.job
- c:\users\SarahT\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-07 22:16]
.
2012-07-20 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]
.
2012-06-30 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.seventhgen.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.seventhgen.com%2fowa%2f
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071015
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\SarahT\AppData\Roaming\Mozilla\Firefox\Profiles\b5hbgrmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-22 22:04
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3672)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Smith Micro\StuffIt11\ArcNameService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\RtHDVCpl.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2012-07-22 22:11:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-23 02:10
.
Pre-Run: 816,198,234,112 bytes free
Post-Run: 816,386,248,704 bytes free
.
- - End Of File - - EEC835F70A612268CD02B820384E519E

Only problem is, I am not able to reinstall Microsoft Security Essentials - "illegal operation" on a registry key that is marked for deletion.

How am I doing?

Thank you!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 22 July 2012 - 09:24 PM

you are doing great, reboot the computer and that message will go away, then you should be able to re-install MSE

then please run the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


[*]Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.
Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Bugaroo

Bugaroo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 23 July 2012 - 06:43 AM

Malwarebytes Anti-malware log
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.22.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
SarahT :: REDHEADS [administrator]

Protection: Enabled

7/22/2012 10:35:26 PM
mbam-log-2012-07-22 (22-35-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224476
Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET results
C:\FRST\Quarantine\{E09A8F02-CECE-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win32/Sirefef.FB.Gen trojan
C:\Users\SarahT\Downloads\registrybooster.exe Win32/RegistryBooster application
F:\Users\SarahT\Downloads\registrybooster.exe Win32/RegistryBooster application

MiniToolBox results
MiniToolBox by Farbar Version: 22-07-2012
Ran by SarahT (administrator) on 23-07-2012 at 07:40:55
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) (Version: 8.1.2)
Adobe AIR (Version: 2.0.3.13070)
Adobe Anchor Service CS3 (Version: 1.0)
Adobe Asset Services CS3 (Version: 3)
Adobe Bridge CS3 (Version: 2)
Adobe Bridge Start Meeting (Version: 1.0)
Adobe Camera Raw 4.0 (Version: 4.0)
Adobe CMaps (Version: 1.0)
Adobe Default Language CS3 (Version: 1.0)
Adobe Device Central CS3 (Version: 1.0)
Adobe Dreamweaver CS3 (Version: 9)
Adobe Dreamweaver CS3 (Version: 9.0)
Adobe ExtendScript Toolkit 2 (Version: 2.0.2)
Adobe Extension Manager CS3 (Version: 1.8)
Adobe Fireworks CS3 (Version: 9.0)
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Flash Player 11 Plugin (Version: 11.3.300.262)
Adobe Help Viewer CS3 (Version: 1)
Adobe PDF Library Files (Version: 8.0)
Adobe Reader 8.1.2 (Version: 8.1.2)
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Setup (Version: 1.0)
Adobe Shockwave Player 11.5 (Version: 11.5)
Adobe Type Support (Version: 1.0)
Adobe Update Manager CS3 (Version: 5.1.0)
Adobe Version Cue CS3 Client (Version: 3)
Adobe XMP Panels CS3 (Version: 1.0)
Amazon Games & Software Downloader (Version: 2.0.2.0)
Amazon MP3 Downloader 1.0.10
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
ArcSoft Camera Suite
ArcSoft PhotoStudio 5.5
Bonjour (Version: 3.0.0.10)
Browser Address Error Redirector (Version: 1.00.0000)
CameraHelperMsi (Version: 13.31.1038.0)
Canon CanoScan 4400F User Registration
Canon CanoScan Toolbox 5.0
CDDRV_Installer (Version: 4.60)
Conexant D850 PCI V.92 Modem
Data Lifeguard Diagnostic for Windows 1.24
Dell DataSafe Online (Version: 1.0.15)
Dell Support Center (Version: 3.1.5907.23)
Dell System Customization Wizard (Version: 1.00.0000)
DellSupport (Version: 6.0.3075)
Digital Line Detect (Version: 1.21)
Drivers Install For Linksys Easylink Advisor (Version: 2.0.9)
erLT (Version: 1.20.138.34)
ESET Online Scanner v3
EssentialFax (Version: 4.0)
FileZilla Client 3.0.11.1 (Version: 3.0.11.1)
Games, Music, & Photos Launcher (Version: 1.00.0000)
Google Chrome (Version: 20.0.1132.57)
Google Talk (remove only)
Google Talk Plugin (Version: 3.2.4.8431)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.115)
Google Updater (Version: 2.4.2432.1652)
Google Video Uploader
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections 12.1.11.0 (Version: )
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
Java™ SE Runtime Environment 6 (Version: 1.6.0.0)
KhalInstallWrapper (Version: 4.60.122)
Linksys EasyLink Advisor 1.6 (0032)
Logitech SetPoint (Version: 4.60)
Logitech Webcam Software (Version: 2.30)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
LWS Facebook (Version: 13.31.1038.0)
LWS Gallery (Version: 13.31.1038.0)
LWS Help_main (Version: 13.31.1044.0)
LWS Launcher (Version: 13.31.1038.0)
LWS Motion Detection (Version: 13.30.1395.0)
LWS Pictures And Video (Version: 13.31.1038.0)
LWS Twitter (Version: 13.30.1346.0)
LWS Video Mask Maker (Version: 13.30.1379.0)
LWS VideoEffects (Version: 13.30.1379.0)
LWS Webcam Software (Version: 13.31.1038.0)
LWS WLM Plugin (Version: 1.30.1201.0)
LWS YouTube Plugin (Version: 13.31.1038.0)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Works (Version: 08.05.0818)
Modem Diagnostic Tool (Version: 1.0.17.8)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Netflix Movie Viewer (Version: 1.2.211)
NetWaiting (Version: 2.5.44)
NVIDIA 3D Vision Controller Driver 296.10 (Version: 296.10)
NVIDIA 3D Vision Driver 296.10 (Version: 296.10)
NVIDIA Control Panel 296.10 (Version: 296.10)
NVIDIA Graphics Driver 296.10 (Version: 296.10)
NVIDIA Install Application (Version: 2.1002.62.312)
NVIDIA PhysX (Version: 9.12.0213)
NVIDIA PhysX System Software 9.12.0213 (Version: 9.12.0213)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.12.9610)
NVIDIA Update 1.7.11 (Version: 1.7.11)
NVIDIA Update Components (Version: 1.7.11)
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Picasa 3 (Version: 3.8)
Product Documentation Launcher (Version: 1.00.0000)
QuickTime (Version: 7.71.80.42)
Realtek High Definition Audio Driver
Rhapsody Player Engine (Version: 1.1.0)
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 3.0.0)
ScanSoft OmniPage SE 4.0 (Version: 15.00.0020)
Seagate DiscWizard (Version: 13.0.14387)
Skype™ 5.9 (Version: 5.9.123)
Sonic Activation Module (Version: 1.0)
StuffIt 11 (Version: 11.2.0)
System Requirements Lab for Intel (Version: 4.4.24.0)
TBS WMP Plug-in (Version: 1.00.676)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User's Guides
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinZip 12.0 (Version: 12.0.8252)

**** End of log ****

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 23 July 2012 - 10:11 AM

the Items found by ESET are either in quarantine already, or alerting to the type of program - Registry Booster, that is not considered malware, but it isn't recommended to use programs that do anything to the registry, it's really not necessary

please do the following:

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT

Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 29 July 2012 - 04:36 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users