Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sirefef.y on Windows 7


  • This topic is locked This topic is locked
50 replies to this topic

#1 orcldude

orcldude

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 18 October 2012 - 11:40 PM

I am helping my daughter with her Lenovo x61 Thinkpad with Windows 7. She updated MSE on Sept 23, 2012 and began a scan. The scan reported that she was infected with sirefef.y in the win32 file, but was unable to clean and ever since then it has been stuck with a 60 second countdown which reports that Microsoft has encountered a critical error and shutdown the system.

In reading through the forums I see other threads where you have helped clean this nasty thing from their systems. I thank you in advance for your help.

I have downloaded FRST and have
* Run FRST in scan mode
* Run FRST with a search for services.exe

I have attached both of these files.

Thanks again, orcldude

Attached Files


Edited by Orange Blossom, 19 October 2012 - 12:50 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 19 October 2012 - 05:57 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{7f27a36c-374c-4a4f-9430-13a340f641a9}
C:\Users\Sarah Sanders\AppData\Local\{7f27a36c-374c-4a4f-9430-13a340f641a9}
C:\Windows\assembly\GAC\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 21 October 2012 - 01:04 AM

Gringo_pr

Many Thanks for your help.

I would love to learn how you do what you do... I greatly apprecaite your assistance.

Here is the log from the run..

-------------------------------------------------------------------


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-10-2012
Ran by SYSTEM at 2012-10-20 21:01:02 Run:1
Running from E:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{7f27a36c-374c-4a4f-9430-13a340f641a9} moved successfully.
C:\Users\Sarah Sanders\AppData\Local\{7f27a36c-374c-4a4f-9430-13a340f641a9} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

==== E

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 21 October 2012 - 01:14 AM

Hello

any of these schools will teach you for free - http://www.uniteagainstmalware.com/schools.php


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 21 October 2012 - 11:35 PM

Many Thanks,

You are doing a great service for us all.

Orcldude

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 21 October 2012 - 11:52 PM

please send me the new reports so we can be sure it has been removed


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 22 October 2012 - 11:11 AM

Hello

Here are the reports

adw cleaner
===========================================================
# AdwCleaner v1.404 - Logfile created 10/21/2012 at 23:37:18
# Updated 04/01/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Sarah Sanders - SARAHSTABLET (Administrator)
# Running from : C:\Users\Sarah Sanders\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Many Thanks,


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Sarah Sanders\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Sarah Sanders\AppData\Local\Babylon
Folder Deleted : C:\Users\Sarah Sanders\AppData\Local\TempDir
Folder Deleted : C:\Users\Sarah Sanders\AppData\Roaming\Mozilla\Firefox\Profiles\tms0yb6a.default\extensions\ffxtlbr@babylon.com
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

***** [Registry] *****

Key Deleted : HKCU\Software\Ask.com.tmp
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\SoftwareUpdate.exe
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8856F961-340A-11D0-A96B-00C04FD705A2}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v4.0.1 (en-US)

Profile : tms0yb6a.default
File : C:\Users\Sarah Sanders\AppData\Roaming\Mozilla\Firefox\Profiles\tms0yb6a.default\prefs.js

C:\Users\Sarah Sanders\AppData\Roaming\Mozilla\Firefox\Profiles\tms0yb6a.default\user.js ... Deleted !

Deleted : user_pref("browser.startup.homepage", "hxxp://search.babylon.com/?affID=109935&babsrc=HP_ss&mntrId=b[...]
Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=109935&babsrc=KW_ss&mntrId=b470ec7f000000[...]
Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");

*************************

AdwCleaner[R1].txt - [2594 octets] - [21/10/2012 23:37:06]
AdwCleaner[S1].txt - [2675 octets] - [21/10/2012 23:37:18]

*************************

Temporary folder : : 15 folder(s) and 20 file(s) deleted

########## EOF - C:\AdwCleaner[S1].txt - [2893 octets] ##########


Report for RKreport

================================================================================================
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Sarah Sanders [Admin rights]
Mode : Remove -- Date : 10/21/2012 23:44:33

Bad processes : 0

Registry Entries : 4
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Sarah Sanders\AppData\Local\{7f27a36c-374c-4a4f-9430-13a340f641a9}\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

Particular Files / Folders:

Driver : [LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: WDC WD5000BPKT-75PK4T0 +++++
--- User ---
[MBR] 9e4471fc8f42d09f803bf6e134560cc2
[BSP] 94173584899b28ad75d7ae0e035249c8 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: HP Photosmart 2575x USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 22 October 2012 - 12:41 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 24 October 2012 - 10:38 AM

Hello again,

The computer is running great.

Thanks for your assistance! Soooo appreciated.

--------------------------------------------------

ComboFix 12-10-23.01 - Sarah Sanders 10/23/2012 20:53:57.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2006.1067 [GMT -7:00]
Running from: c:\users\Sarah Sanders\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\Roaming
c:\programdata\SEC5C52.tmp
c:\programdata\SECB95F.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-09-24 to 2012-10-24 )))))))))))))))))))))))))))))))
.
.
2012-10-24 04:05 . 2012-10-24 04:05 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3876449C-1787-4432-B799-B3589C5BF3D0}\MpKslf03532f4.sys
2012-10-24 03:39 . 2012-10-24 04:04 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3876449C-1787-4432-B799-B3589C5BF3D0}\offreg.dll
2012-10-21 04:59 . 2012-08-21 20:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-21 04:58 . 2012-10-21 04:58 -------- d-----w- c:\program files\iPod
2012-10-21 04:58 . 2012-10-21 04:59 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-21 04:58 . 2012-10-21 04:59 -------- d-----w- c:\program files\iTunes
2012-10-21 04:36 . 2012-10-21 04:36 -------- d-----w- c:\windows\Sun
2012-10-21 04:36 . 2012-10-21 04:36 -------- d-----w- c:\program files\Common Files\Java
2012-10-21 04:13 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3876449C-1787-4432-B799-B3589C5BF3D0}\mpengine.dll
2012-10-19 05:03 . 2012-10-19 05:03 -------- d-----w- C:\FRST
2012-10-19 03:21 . 2012-10-19 03:22 -------- d-----w- c:\users\Save ME!
2012-10-02 19:17 . 2012-10-02 19:17 5171904 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-21 05:13 . 2012-04-05 02:25 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 05:13 . 2011-05-15 07:33 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 22:32 . 2012-08-31 15:31 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 22:32 . 2011-05-15 08:25 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-19 07:59 . 2012-09-24 00:37 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-21 20:01 . 2011-05-15 08:29 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-12 23:42 . 2010-05-12 23:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-13 00:22 . 2010-05-13 00:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 23:43 . 2010-05-12 23:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 23:42 . 2010-05-12 23:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 23:42 . 2010-05-12 23:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 23:41 . 2010-05-12 23:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 23:42 . 2010-05-12 23:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 23:42 . 2010-05-12 23:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 20:55 . 2010-04-14 20:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 23:43 . 2010-05-12 23:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-04-14 16:26 . 2011-05-15 08:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-11-24 93032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-07 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-07 150552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-04-19 1258856]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-19 1314816]
"LENTBCTL"="c:\program files\ThinkPad\Tablet Shortcut\LENTBCTL.EXE" [2011-03-22 1242472]
"TSMResident"="c:\program files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" [2011-03-30 484856]
"TabletButton"="c:\program files\ThinkPad\Tablet Shortcut\TabletButton.EXE" [2010-10-28 468328]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-13 300472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\Sarah Sanders\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2011-5-22 1122304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2010-12-08 20:16 100176 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 MpKsl6dc4302a;MpKsl6dc4302a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3876449C-1787-4432-B799-B3589C5BF3D0}\MpKsl6dc4302a.sys [x]
S1 MpKslf03532f4;MpKslf03532f4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3876449C-1787-4432-B799-B3589C5BF3D0}\MpKslf03532f4.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ASRSVC;ASR Service;c:\program files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IBUpdaterService;Updater Service;c:\programdata\IBUpdaterService\ibsvc.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 TabletSVC;TABLET Service;c:\program files\ThinkPad\Tablet Shortcut\TSMService.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [x]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [x]
S3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF03532F4
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 05:13]
.
2012-10-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
2012-10-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
2012-10-24 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Sarah Sanders\AppData\Roaming\Mozilla\Firefox\Profiles\tms0yb6a.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(588)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'Explorer.exe'(1528)
c:\program files\ThinkPad\Utilities\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\WUDFHost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\windows\system32\taskhost.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\conhost.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Microsoft Security Client\MpCmdRun.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-10-23 21:10:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-24 04:10
.
Pre-Run: 308,150,824,960 bytes free
Post-Run: 308,119,732,224 bytes free
.
- - End Of File - - 7B78958DD0B8E6BA52259CA7C465A1DF

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 24 October 2012 - 11:12 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 26 October 2012 - 12:04 PM

Thanks again!!..

Here's the report from tdsskiller:

C:\Program Files\Windows Defender\mpsvc.dll
22:51:59.0736 4732 WinDefend - ok
22:51:59.0736 4732 WinHttpAutoProxySvc - ok
22:51:59.0798 4732 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
22:51:59.0798 4732 Winmgmt - ok
22:51:59.0845 4732 [ 1B91CD34EA3A90AB6A4EF0550174F4CC ] WinRM C:\Windows\system32\WsmSvc.dll
22:51:59.0907 4732 WinRM - ok
22:51:59.0970 4732 [ A67E5F9A400F3BD1BE3D80613B45F708 ] WinUsb C:\Windows\system32\DRIVERS\WinUSB.sys
22:51:59.0970 4732 WinUsb - ok
22:51:59.0985 4732 [ FF17B6A01A9FEB2A8D322BF369D36C96 ] wisdpen C:\Windows\system32\DRIVERS\wisdpen.sys
22:51:59.0985 4732 wisdpen - ok
22:52:00.0032 4732 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
22:52:00.0048 4732 Wlansvc - ok
22:52:00.0157 4732 [ FB01D4AE207B9EFDBABFC55DC95C7E31 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
22:52:00.0204 4732 wlidsvc - ok
22:52:00.0251 4732 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
22:52:00.0251 4732 WmiAcpi - ok
22:52:00.0266 4732 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
22:52:00.0266 4732 wmiApSrv - ok
22:52:00.0313 4732 [ 3B40D3A61AA8C21B88AE57C58AB3122E ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
22:52:00.0344 4732 WMPNetworkSvc - ok
22:52:00.0360 4732 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll
22:52:00.0360 4732 WPCSvc - ok
22:52:00.0391 4732 [ AA53356D60AF47EACC85BC617A4F3F66 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
22:52:00.0391 4732 WPDBusEnum - ok
22:52:00.0407 4732 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
22:52:00.0407 4732 ws2ifsl - ok
22:52:00.0438 4732 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\system32\wscsvc.dll
22:52:00.0438 4732 wscsvc - ok
22:52:00.0453 4732 WSearch - ok
22:52:00.0547 4732 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
22:52:00.0594 4732 wuauserv - ok
22:52:00.0609 4732 [ E714A1C0354636837E20CCBF00888EE7 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
22:52:00.0609 4732 WudfPf - ok
22:52:00.0641 4732 [ 1023EE888C9B47178C5293ED5336AB69 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
22:52:00.0641 4732 WUDFRd - ok
22:52:00.0672 4732 [ 8D1E1E529A2C9E9B6A85B55A345F7629 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
22:52:00.0672 4732 wudfsvc - ok
22:52:00.0719 4732 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll
22:52:00.0719 4732 WwanSvc - ok
22:52:00.0765 4732 [ 88AF537264F2B818DA15479CEEAF5D7C ] XAudio C:\Windows\system32\DRIVERS\xaudio.sys
22:52:00.0765 4732 XAudio - ok
22:52:00.0797 4732 [ 15A317674A08DF26BE65164D959E9203 ] XAudioService C:\Windows\system32\DRIVERS\xaudio.exe
22:52:00.0797 4732 XAudioService - ok
22:52:00.0843 4732 ================ Scan global ===============================
22:52:00.0875 4732 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll
22:52:00.0906 4732 [ 48CB4FDBCAAEAC7BCE2F5941545FF071 ] C:\Windows\system32\winsrv.dll
22:52:00.0953 4732 [ 48CB4FDBCAAEAC7BCE2F5941545FF071 ] C:\Windows\system32\winsrv.dll
22:52:00.0984 4732 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
22:52:01.0031 4732 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
22:52:01.0031 4732 [Global] - ok
22:52:01.0031 4732 ================ Scan MBR ==================================
22:52:01.0046 4732 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
22:52:01.0311 4732 \Device\Harddisk0\DR0 - ok
22:52:01.0311 4732 ================ Scan VBR ==================================
22:52:01.0311 4732 [ E7E884E2FEBD783829682A3AC5A4F3D8 ] \Device\Harddisk0\DR0\Partition1
22:52:01.0327 4732 \Device\Harddisk0\DR0\Partition1 - ok
22:52:01.0343 4732 [ 72DEE4840C42492978509ED821D58CAE ] \Device\Harddisk0\DR0\Partition2
22:52:01.0343 4732 \Device\Harddisk0\DR0\Partition2 - ok
22:52:01.0343 4732 ============================================================
22:52:01.0343 4732 Scan finished
22:52:01.0343 4732 ============================================================
22:52:01.0358 1160 Detected object count: 0
22:52:01.0358 1160 Actual detected object count: 0


and here is the aswMBR file log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-25 22:54:35
-----------------------------
22:54:35.284 OS Version: Windows 6.1.7601 Service Pack 1
22:54:35.284 Number of processors: 2 586 0xF0B
22:54:35.300 ComputerName: SARAHSTABLET UserName:
22:54:50.413 Initialize success
22:55:10.607 AVAST engine download error: 0
22:55:20.435 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:55:20.435 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
22:55:20.450 Disk 0 MBR read successfully
22:55:20.466 Disk 0 MBR scan
22:55:20.466 Disk 0 Windows 7 default MBR code
22:55:20.497 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
22:55:20.513 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
22:55:20.513 Disk 0 scanning sectors +976771072
22:55:20.622 Disk 0 scanning C:\Windows\system32\drivers
22:55:25.801 Service scanning
22:55:32.462 Service MpKsl827c7f46 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FA19730F-D240-4A0D-B33E-95F3BBA00188}\MpKsl827c7f46.sys **LOCKED** 32
22:55:40.808 Modules scanning
22:55:48.936 Disk 0 trace - called modules:
22:55:48.967 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
22:55:49.295 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872311e0]
22:55:49.310 3 CLASSPNP.SYS[891a959e] -> nt!IofCallDriver -> [0x85b65958]
22:55:49.326 5 ACPI.sys[88a8a3d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85b7f028]
22:55:49.342 Scan finished successfully
22:56:20.777 Disk 0 MBR has been saved successfully to "C:\Users\Sarah Sanders\Desktop\MBR.dat"
22:56:20.777 The log file has been saved successfully to "C:\Users\Sarah Sanders\Desktop\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 26 October 2012 - 01:18 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 28 October 2012 - 11:44 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 orcldude

orcldude
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 29 October 2012 - 12:12 PM

Hello,

Sorry for the delay. It was a very busy weekend...

My daughter reports that the system is running very well, however she is concerned that when MSE runs, it still picks up on sirefef in the WIN 32 file. I'm terried to hit the "quarantine" button, since that's what started this whole sad cycle to begin with. What should we do?

===============================================================
ComboFix 12-10-26.05 - Sarah Sanders 10/27/2012 19:40:54.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2006.1119 [GMT -7:00]
Running from: c:\users\Sarah Sanders\Desktop\ComboFix.exe
Command switches used :: c:\users\Sarah Sanders\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-28 )))))))))))))))))))))))))))))))
.
.
2012-10-28 02:51 . 2012-10-28 02:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-28 02:32 . 2012-10-28 02:32 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{156B055E-D93B-4ABC-9E56-C67AEFDF0435}\MpKsl5e5fa276.sys
2012-10-28 00:15 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{156B055E-D93B-4ABC-9E56-C67AEFDF0435}\mpengine.dll
2012-10-26 02:54 . 2012-02-09 21:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-10-26 02:53 . 2012-10-26 02:53 740784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43E68B9B-A774-4327-B925-541AF2112B50}\gapaengine.dll
2012-10-26 02:53 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-24 04:22 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-10-24 04:22 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-10-24 04:22 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-10-24 04:22 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-10-24 04:22 . 2012-08-24 16:57 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-24 04:22 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-24 04:22 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-10-24 04:22 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-10-24 04:22 . 2012-09-14 18:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-24 04:20 . 2012-08-21 20:12 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-10-24 04:20 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-24 04:20 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-10-24 04:20 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-10-24 04:20 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-10-24 04:20 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-10-24 04:20 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-24 04:20 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-10-24 04:20 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-10-24 04:20 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2012-10-24 04:19 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-10-21 04:59 . 2012-08-21 20:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-21 04:58 . 2012-10-21 04:58 -------- d-----w- c:\program files\iPod
2012-10-21 04:58 . 2012-10-21 04:59 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-10-21 04:58 . 2012-10-21 04:59 -------- d-----w- c:\program files\iTunes
2012-10-21 04:36 . 2012-10-21 04:36 -------- d-----w- c:\windows\Sun
2012-10-21 04:36 . 2012-10-21 04:36 -------- d-----w- c:\program files\Common Files\Java
2012-10-19 05:03 . 2012-10-19 05:03 -------- d-----w- C:\FRST
2012-10-19 03:21 . 2012-10-19 03:22 -------- d-----w- c:\users\Save ME!
2012-10-02 19:17 . 2012-10-02 19:17 5171904 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-21 05:13 . 2012-04-05 02:25 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-21 05:13 . 2011-05-15 07:33 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 22:32 . 2012-08-31 15:31 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 22:32 . 2011-05-15 08:25 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-31 05:03 . 2012-08-31 05:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-31 05:03 . 2012-03-21 03:44 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-21 20:01 . 2011-05-15 08:29 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2010-05-12 23:42 . 2010-05-12 23:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-13 00:22 . 2010-05-13 00:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 23:43 . 2010-05-12 23:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 23:42 . 2010-05-12 23:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 23:42 . 2010-05-12 23:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 23:41 . 2010-05-12 23:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 23:42 . 2010-05-12 23:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 23:42 . 2010-05-12 23:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 20:55 . 2010-04-14 20:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 23:43 . 2010-05-12 23:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-04-14 16:26 . 2011-05-15 08:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-11-24 93032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-07 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-07 150552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-04-19 1258856]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-19 1314816]
"LENTBCTL"="c:\program files\ThinkPad\Tablet Shortcut\LENTBCTL.EXE" [2011-03-22 1242472]
"TSMResident"="c:\program files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" [2011-03-30 484856]
"TabletButton"="c:\program files\ThinkPad\Tablet Shortcut\TabletButton.EXE" [2010-10-28 468328]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-13 300472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\Sarah Sanders\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2011-5-22 1122304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2010-12-08 20:16 100176 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 MpKsl5e5fa276;MpKsl5e5fa276;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{156B055E-D93B-4ABC-9E56-C67AEFDF0435}\MpKsl5e5fa276.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 ASRSVC;ASR Service;c:\program files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IBUpdaterService;Updater Service;c:\programdata\IBUpdaterService\ibsvc.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 TabletSVC;TABLET Service;c:\program files\ThinkPad\Tablet Shortcut\TSMService.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [x]
S3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL5E5FA276
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 05:13]
.
2012-10-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
2012-10-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
2012-10-28 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Sarah Sanders\AppData\Roaming\Mozilla\Firefox\Profiles\tms0yb6a.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(568)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'Explorer.exe'(7260)
c:\program files\ThinkPad\Utilities\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2012-10-27 19:55:02
ComboFix-quarantined-files.txt 2012-10-28 02:55
ComboFix2.txt 2012-10-24 04:10
.
Pre-Run: 306,079,719,424 bytes free
Post-Run: 306,180,837,376 bytes free
.
- - End Of File - - 3ACB312AC55CF272E69C3393F028E0AD

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 AM

Posted 29 October 2012 - 12:32 PM

can you give me the complete name of the file?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users