Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to start Windows Firewall


  • This topic is locked This topic is locked
18 replies to this topic

#1 albert_tf

albert_tf

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 18 November 2012 - 03:08 PM

Hello,
On a Windows Vista Machine, I am unable to start Windows Firewall. Here is the error message:

"Due to an unidentified problem, Windows cannot display Windows Firewall settings."

Another link led me to the ComboFix page. I checked Services, but do not see Windows Firewall listed.

Thank you for any help!
Albert

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 18 November 2012 - 08:53 PM

please run the following:


Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 19 November 2012 - 07:15 PM

Thank you for the response! Here is the log file:

Farbar Service Scanner Version: 09-11-2012
Ran by gwolber (administrator) on 19-11-2012 at 16:16:07
Running from "C:\Users\gwolber.TFMUSIC\Downloads"
Windows Vista ™ Business Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 07:46] - [2012-06-01 16:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 19 November 2012 - 07:18 PM

Please run the following:

Please download the ESET services repair tool, extract the file to your desktop.
  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply
 

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 19 November 2012 - 07:29 PM

Thank you for the message. Here is the log:

Log Opened: 2012-11-19 @ 16:26:33
16:26:33 - -----------------
16:26:33 - | Begin Logging |
16:26:33 - -----------------
16:26:33 - Fix started on a WIN_VISTA X86 computer
16:26:33 - Prep in progress. Please Wait.
16:26:35 - Prep complete
16:26:35 - Repairing Services Now. Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
16:26:38 - Services Repair Complete.
16:26:58 - Reboot Initiated

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 19 November 2012 - 07:35 PM

please re-run Farbar Service Scanner - post the new log

check to make certain Windows Firewall is now functioning properly

then run the following diagnostic scans to see if there is any leftover malware on the machine

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Edited by CatByte, 19 November 2012 - 07:35 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 19 November 2012 - 08:24 PM

Ok, thank you.

Here is the DSS.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.7.2
Run by gwolber at 17:01:30 on 2012-11-19
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1830 [GMT -8:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\system32\mqsvc.exe
C:\Windows\system32\brss01a.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
c:\windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.tfront.com/
mStart Page = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program

files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\google toolbar\GoogleToolbar_32.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program

files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program

files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07

-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07

-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.147
TCP: Interfaces\{1A60C73A-0A22-4172-A660-3F7BBE810689} : NameServer = 192.168.1.147,192.168.1.144
TCP: Interfaces\{1A60C73A-0A22-4172-A660-3F7BBE810689} : DHCPNameServer = 192.168.1.147
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program

files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program

files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program

files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program

files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

[2009-4-29 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k

LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-12 8960]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint

protection\Rtvscan.exe [2008-3-4 2189240]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2012-8-15 106656]
R3 PCDSRVC{E9D79540-57D5953E-06020200}_0;PCDSRVC{E9D79540-57D5953E-06020200}_0 - PCDR Kernel Mode

Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2012-8-17 22640]
S2 APCPBEAgent;APC PBE Agent;c:\progra~1\apc\powerc~1\agent\pbeagent.exe [2010-1-2 28672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-3-4 23888]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-12 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-12

16640]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18

753504]
.
=============== Created Last 30 ================
.
2012-11-18 15:33:48 6918632 ----a-w- c:\programdata\microsoft\windows

defender\definition updates\{822abb27-b151-4241-9f0e-f8f1b3b69945}\mpengine.dll
2012-11-18 15:33:47 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-14 16:53:32 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-14 16:52:49 2047488 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2012-11-15 16:52:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-15 16:52:30 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 07:56:24 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-10-06 17:39:55 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-06 17:39:52 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-06 17:39:51 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-13 13:28:08 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-29 11:27:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53:29 172544 ----a-w- c:\windows\system32\wintrust.dll
.
============= FINISH: 17:02:55.64 ===============


Here is the Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 9/16/2008 1:09:47 PM
System Uptime: 11/19/2012 4:28:24 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0J584C
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 1600/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 134.852 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
R: is NetworkDisk (NTFS) - 39 GiB total, 31.503 GiB free.
S: is NetworkDisk (NTFS) - 39 GiB total, 31.503 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1336: 10/8/2012 2:06:22 PM - Scheduled Checkpoint
RP1337: 10/9/2012 12:32:10 PM - Scheduled Checkpoint
RP1338: 10/10/2012 2:21:09 PM - Scheduled Checkpoint
RP1339: 10/10/2012 5:06:39 PM - Windows Update
RP1340: 10/12/2012 1:34:32 PM - Scheduled Checkpoint
RP1341: 10/16/2012 1:45:12 PM - Scheduled Checkpoint
RP1342: 10/17/2012 4:05:54 PM - Scheduled Checkpoint
RP1343: 10/23/2012 11:08:35 AM - Scheduled Checkpoint
RP1344: 10/25/2012 2:23:02 PM - Scheduled Checkpoint
RP1345: 10/26/2012 11:47:06 AM - Scheduled Checkpoint
RP1346: 10/29/2012 4:16:52 PM - Scheduled Checkpoint
RP1347: 11/5/2012 12:42:02 PM - Scheduled Checkpoint
RP1348: 11/7/2012 3:40:39 PM - Scheduled Checkpoint
RP1349: 11/9/2012 4:08:00 PM - Scheduled Checkpoint
RP1350: 11/10/2012 9:18:34 AM - Scheduled Checkpoint
RP1351: 11/12/2012 11:28:34 AM - Scheduled Checkpoint
RP1352: 11/14/2012 4:22:32 PM - Scheduled Checkpoint
RP1353: 11/14/2012 5:01:33 PM - Windows Update
RP1354: 11/15/2012 2:44:59 PM - Scheduled Checkpoint
RP1355: 11/16/2012 12:55:20 PM - Scheduled Checkpoint
RP1356: 11/18/2012 6:16:39 AM - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.3
APC PowerChute Business Edition Agent
ATI Catalyst Install Manager
ATI Display Driver
Browser Address Error Redirector
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
Compatibility Pack for the 2007 Office system
Dell Driver Reset Tool
Dell Support Center
Diagnostics Utility
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java 7 Update 7
Java Auto Updater
LiveUpdate 3.3 (Symantec Corporation)
Lizard Safeguard - PDF Viewer 2.5.125
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OGA Notifier 2.0.0048.0
PowerDVD
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
RWA Band I-1
SearchAssist
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Skins
Sonic CinePlayer Decoder Pack
Spelling Dictionaries Support For Adobe Reader 9
SupportSoft Assisted Service
Symantec Endpoint Protection
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
Windows Installer Clean Up
World of Warcraft FREE Trial
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
11/19/2012 4:29:49 PM, Error: Service Control Manager [7034] - The APC PBE Agent service terminated unexpectedly. It has done this 1 time(s).
11/19/2012 4:29:49 PM, Error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.
11/19/2012 4:26:38 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
11/18/2012 11:57:57 AM, Error: Service Control Manager [7022] - The SharedAccess service hung on starting.
.
==== End Of File ===========================

Here is the aswMBR file:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-19 17:04:58
-----------------------------
17:04:58.748 OS Version: Windows 6.0.6002 Service Pack 2
17:04:58.748 Number of processors: 4 586 0xF0B
17:04:58.748 ComputerName: TFRONT17 UserName: gwolber
17:04:59.840 Initialize success
17:12:02.015 AVAST engine defs: 12111901
17:14:43.959 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:14:43.959 Disk 0 Vendor: Hitachi_HDP725025GLA380 GM2OA5BA Size: 238418MB BusType: 3
17:14:43.959 Disk 0 MBR read successfully
17:14:43.974 Disk 0 MBR scan
17:14:43.974 Disk 0 Windows VISTA default MBR code
17:14:43.974 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
17:14:43.990 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238347 MB offset 128520
17:14:44.005 Disk 0 scanning sectors +488263545
17:14:44.083 Disk 0 scanning C:\Windows\system32\drivers
17:14:55.659 Service scanning
17:15:31.523 Modules scanning
17:15:42.334 Disk 0 trace - called modules:
17:15:42.365 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
17:15:42.880 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x857cc908]
17:15:42.880 3 CLASSPNP.SYS[8a9a58b3] -> nt!IofCallDriver -> [0x8558b918]
17:15:42.880 5 acpi.sys[8069d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85589528]
17:15:43.738 AVAST engine scan C:\Windows
17:15:52.146 AVAST engine scan C:\Windows\system32
17:21:26.594 AVAST engine scan C:\Windows\system32\drivers
17:21:41.149 AVAST engine scan C:\Users\gwolber.TFMUSIC
17:24:26.444 Disk 0 MBR has been saved successfully to "C:\Users\gwolber.TFMUSIC\Desktop\MBR.dat"
17:24:26.491 The log file has been saved successfully to "C:\Users\gwolber.TFMUSIC\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   558bytes   0 downloads


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 19 November 2012 - 08:28 PM

is the firewall working now? please post the new Farbar service scanner log as well

please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 19 November 2012 - 08:37 PM

Hello,
Thank you for the reply. I was a bit hasty. The aswMBR hasn't finished scanning yet. I have to vacate the building so I will get back to you tomorrow.

Thank you!
Albert

#10 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 20 November 2012 - 11:15 AM

Here is the FSS log:

Farbar Service Scanner Version: 09-11-2012
Ran by gwolber (administrator) on 20-11-2012 at 08:16:27
Running from "C:\Users\gwolber.TFMUSIC\Documents\SD_Files"
Windows Vista ™ Business Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 07:46] - [2012-06-01 16:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 20 November 2012 - 06:42 PM

good, the log is not showing any more problems with the firewall, so it should be running now

please move on to ComboFix

thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 20 November 2012 - 09:11 PM

OK thanks! Ran ComboFix without incident. Here is the log:

ComboFix 12-11-20.02 - gwolber 11/20/2012 17:51:03.2.4 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1927 [GMT -8:00]
Running from: c:\users\gwolber.TFMUSIC\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6032\AddOnDownloaded\087abda5-3ca9-433a-8a4e-6b9fc9285607.dll
c:\programdata\PCDr\6032\AddOnDownloaded\21eb1c2f-b0d8-40e6-96dd-163437759b68.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2f733848-355c-4a6f-89a5-08a4dcc89c5c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\35445406-e7ed-4a0e-9922-45505e71594b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\358ba71b-117f-40d5-95aa-57de622719b7.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3b429c4f-8ba9-4a7d-bbb4-4548bb6d2539.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3c49c05a-0eb3-4044-a0f8-d4ea2a439295.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3d656744-60b2-4576-8124-a39729f8b522.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4704833a-6508-40cc-b98b-5ebd235e52ca.dll
c:\programdata\PCDr\6032\AddOnDownloaded\489f121a-4538-4839-9d1d-3c48e590be59.dll
c:\programdata\PCDr\6032\AddOnDownloaded\4f64943e-d62a-4f2e-a3cd-98fb91e30469.dll
c:\programdata\PCDr\6032\AddOnDownloaded\59bb1a7b-2122-4c71-82b0-30bee96f063e.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5cd81d7c-326c-42d2-8929-1ee85c69dc1d.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5f169f6e-cfce-411e-b266-aa53ac35ce83.dll
c:\programdata\PCDr\6032\AddOnDownloaded\7119bf4b-d404-4b31-8779-44fac71761fa.dll
c:\programdata\PCDr\6032\AddOnDownloaded\72f0dc20-5af7-4221-9657-442597ce030b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\75c8751b-fcad-4846-80ce-3a2efec60612.dll
c:\programdata\PCDr\6032\AddOnDownloaded\8c199aef-9eca-4ab6-863d-c9136ebec654.dll
c:\programdata\PCDr\6032\AddOnDownloaded\a7201707-7895-43cf-9119-8a0279b75d4c.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b510dd11-341c-4dfa-9f1e-dd5ddcc444f4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\cf9bce06-e765-4c6f-afa9-0d82a3adc417.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d3ef65ec-842a-4640-b428-aca2f4a966e6.dll
c:\programdata\PCDr\6032\AddOnDownloaded\d78fa15b-2d61-4303-adaa-edec9ebbb2b3.dll
c:\programdata\PCDr\6032\AddOnDownloaded\dbecb802-efe1-453f-828f-29af4ab73508.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e1ce76af-328a-41dc-b2c4-0dd9771f6aa1.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e3e252fe-80ab-4f89-82a9-b607007220bd.dll
c:\programdata\PCDr\6032\AddOnDownloaded\eb115e4d-8592-4082-bffa-e65ae6b21e95.dll
c:\programdata\PCDr\6032\AddOnDownloaded\ed26c1b3-d9f9-42e8-80e0-cd62e65fd901.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f28ef68b-8cc4-4c00-891d-473fb67bd0b0.dll
c:\users\gwolber.TFMUSIC\Documents\~WRL0144.tmp
c:\users\gwolber.TFMUSIC\Documents\~WRL3639.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-10-21 to 2012-11-21 )))))))))))))))))))))))))))))))
.
.
2012-11-21 02:00 . 2012-11-21 02:02 -------- d-----w- c:\users\gwolber.TFMUSIC\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\gwolber\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\astatti\AppData\Local\temp
2012-11-21 02:00 . 2012-11-21 02:00 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-11-20 21:09 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBF9EA2F-B579-4839-A4B5-2F3F1315690C}\mpengine.dll
2012-11-20 14:26 . 2012-11-20 14:26 -------- d-----w- c:\windows\system32\InstallShield Installation Information
2012-11-18 15:33 . 2012-05-31 20:25 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-15 17:00 . 2012-11-15 17:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2012-11-14 16:53 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-14 16:52 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-15 16:52 . 2012-05-15 15:08 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-15 16:52 . 2011-06-03 16:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-06 17:39 . 2012-10-06 17:40 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-06 17:39 . 2012-10-06 16:27 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-10-06 17:39 . 2010-04-17 15:35 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-13 13:28 . 2012-10-10 15:46 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-29 11:27 . 2012-10-10 15:46 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27 . 2012-10-10 15:46 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 15:53 . 2012-10-10 15:46 172544 ----a-w- c:\windows\system32\wintrust.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-03-04 115560]
"MsmqIntCert"="mqrt.dll" [2009-04-11 150528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8169Diag]
2008-02-26 21:15 909312 ----a-w- c:\program files\Realtek\Diagnostics Utility\8169Diag.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc
dot3svc REG_MULTI_SZ dot3svc
eapsvcs REG_MULTI_SZ eaphost
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-15 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tfront.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.147
TCP: Interfaces\{1A60C73A-0A22-4172-A660-3F7BBE810689}: NameServer = 192.168.1.147,192.168.1.144
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-20 18:02
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCDSRVC{E9D79540-57D5953E-06020200}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]
"ImagePath"="a"
.
Completion time: 2012-11-20 18:04:31
ComboFix-quarantined-files.txt 2012-11-21 02:04
ComboFix2.txt 2012-08-15 20:58
.
Pre-Run: 144,478,752,768 bytes free
Post-Run: 144,640,798,720 bytes free
.
- - End Of File - - A65F8AF4EEF8C905158385B82731AB83

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 20 November 2012 - 09:14 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 albert_tf

albert_tf
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 21 November 2012 - 10:52 AM

OK, thank you. Here is the Adwcleaner - it produced two files. I put both here:

# AdwCleaner v2.008 - Logfile created 11/20/2012 at 18:27:28
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista ™ Business Service Pack 2 (32 bits)
# User : gwolber - TFRONT17
# Boot Mode : Normal
# Running from : C:\Users\gwolber.TFMUSIC\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

*************************

AdwCleaner[R1].txt - [579 octets] - [20/11/2012 18:27:28]

########## EOF - C:\AdwCleaner[R1].txt - [638 octets] ##########
# AdwCleaner v2.008 - Logfile created 11/20/2012 at 18:27:46
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista ™ Business Service Pack 2 (32 bits)
# User : gwolber - TFRONT17
# Boot Mode : Normal
# Running from : C:\Users\gwolber.TFMUSIC\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

*************************

AdwCleaner[R1].txt - [706 octets] - [20/11/2012 18:27:28]
AdwCleaner[S1].txt - [638 octets] - [20/11/2012 18:27:46]

########## EOF - C:\AdwCleaner[S1].txt - [697 octets] ##########

Here is the MalwareBytes:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.21.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
gwolber :: TFRONT17 [administrator]

11/20/2012 6:37:18 PM
mbam-log-2012-11-20 (18-37-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290541
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{dde5f197-2dfe-1c2a-822b-77bb252bca8b}\n (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

Here is the ESETSCAN:

C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win32/Sirefef.FB.Gen trojan
C:\Users\gwolber.TFMUSIC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\453e638b-3440a6ee Java/Exploit.Agent.NCI trojan
C:\Users\gwolber.TFMUSIC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\46306b78-645931e5 Java/Agent.Y trojan


Thank you!

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:16 PM

Posted 21 November 2012 - 06:39 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\gwolber.TFMUSIC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\453e638b-3440a6ee 
C:\Users\gwolber.TFMUSIC\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\46306b78-645931e5 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users