Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Sirefef.A.61.


  • This topic is locked This topic is locked
13 replies to this topic

#1 kjpoehler

kjpoehler

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 December 2012 - 01:59 PM

I am getting a constant security alert from AVIRA indicating that a virus 'TR/Sirefef.A.61' was found in C:\$Recycle.Bin\S-1-5-1\... \00000001.@.
I downloaded FRSC and followed the steps- here are the logs for FRST.txt and Search.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-12-2012 01
Ran by SYSTEM at 27-12-2012 11:02:53
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [861744 2007-04-13] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [1862144 2007-05-10] (Google)
HKLM\...\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe" [455344 2007-06-21] ()
HKLM\...\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe" [20480 2007-06-01] ()
HKLM\...\Run: [Lexmark 5300 Series Fax Server] "C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s [307888 2007-06-21] ()
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-03-17] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [248040 2010-02-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [497648 2010-07-28] (Adobe Systems Incorporated)
HKLM\...\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe" [770728 2010-05-05] ()
HKLM\...\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe" [148280 2010-05-05] ()
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [BSDAppUpdater] C:\Program Files\Common Files\BSD\AppUpdater\BSDChecker.exe [1660232 2011-10-30] (Bootstrap Software Development)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM\...\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-04-20] ()
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-04-20] ()
HKU\Ryan\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-04-20] ()
HKU\Ryan\...\Run: [TK8 StickyNotes] "C:\Program Files\TK8 StickyNotes\TK8StickyNotes.exe" [9175376 2010-03-08] ()
HKU\Ryan\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Ryan\...\Run: [Google Update] "C:\Users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-23] (Google Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n. ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Ryan\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ===================

2 AdobeActiveFileMonitor9.0; C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [169408 2010-09-30] (Adobe Systems Incorporated)
2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-01] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-01] (Avira Operations GmbH & Co. KG)
3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1862144 2007-05-10] (Google)
2 lxdk_device; C:\Windows\system32\lxdkcoms.exe -service [598960 2007-06-14] ( )
2 lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [193192 2010-04-14] (Lexmark International, Inc.)
2 lxea_device; C:\Windows\system32\lxeacoms.exe -service [598696 2010-04-14] ( )
2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 Swupdtmr; c:\TOSHIBA\IVP\swupdate\swupdtmr.exe [x]

==================== Drivers (Whitelisted) ====================

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [83392 2012-04-24] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137928 2012-04-27] (Avira GmbH)
1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [36000 2012-04-16] (Avira GmbH)
1 Cdr4_xp; C:\Windows\System32\Drivers\Cdr4_xp.sys [9072 2009-10-20] (Sonic Solutions)
1 Cdralw2k; C:\Windows\System32\Drivers\Cdralw2k.sys [9200 2009-10-20] (Sonic Solutions)
3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2006-12-14] (ATK0100)
3 slabbus; C:\Windows\System32\DRIVERS\slabbus.sys [52384 2004-03-25] (MCCI)
3 slabser; C:\Windows\System32\DRIVERS\slabser.sys [84512 2004-03-25] (MCCI)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
3 TDEIO; \??\C:\WINDOWS\SYSTEM32\SYSPREP\tdeio.sys [16512 2006-09-19] ()
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-17 16:59 - 2012-12-17 16:59 - 00000043 ____A C:\Users\Ryan\Desktop\saying.txt
2012-12-16 15:25 - 2012-12-16 17:24 - 00016347 ____A C:\Users\Ryan\Desktop\Britt Ped.odt
2012-12-10 10:24 - 2012-12-10 10:24 - 00138696 ____A C:\Windows\Minidump\Mini121012-01.dmp
2012-12-02 14:03 - 2012-12-02 14:03 - 00138696 ____A C:\Windows\Minidump\Mini120212-01.dmp


==================== One Month Modified Files and Folders ========

2012-12-27 08:30 - 2006-11-02 05:01 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-12-27 08:30 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-27 08:30 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-27 08:29 - 2010-04-30 18:54 - 00221564 ____A C:\Users\Ryan\Documents\TK8 SkickyNotes Database.data
2012-12-27 08:29 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-27 08:18 - 2012-06-29 04:12 - 00001858 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-12-27 08:11 - 2011-10-08 11:40 - 00062408 ____A C:\Users\All Users\lxeascan.log
2012-12-27 08:02 - 2007-06-25 02:51 - 02064758 ____A C:\Windows\WindowsUpdate.log
2012-12-27 08:01 - 2012-08-09 06:02 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-27 07:37 - 2012-12-27 07:37 - 00000000 ____D C:\FRST
2012-12-27 07:34 - 2006-11-02 02:33 - 00740318 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-27 07:32 - 2012-08-23 07:44 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3302994980-3118950705-738168229-1000UA.job
2012-12-27 03:32 - 2012-08-23 07:44 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3302994980-3118950705-738168229-1000Core.job
2012-12-24 09:23 - 2010-04-25 14:44 - 00000000 ___RD C:\Users\Ryan\Desktop\Karli
2012-12-19 04:46 - 2011-06-23 15:36 - 00000000 ____D C:\Users\Ryan\Desktop\Ryan's Stuff
2012-12-17 16:59 - 2012-12-17 16:59 - 00000043 ____A C:\Users\Ryan\Desktop\saying.txt
2012-12-16 17:24 - 2012-12-16 15:25 - 00016347 ____A C:\Users\Ryan\Desktop\Britt Ped.odt
2012-12-13 13:41 - 2012-08-23 07:46 - 00002048 ____A C:\Users\Ryan\Desktop\Google Chrome.lnk
2012-12-11 16:01 - 2012-08-09 06:02 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-11 16:01 - 2011-06-30 13:27 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-12-10 12:22 - 2007-05-10 08:47 - 00000000 ____D C:\Users\All Users\Adobe
2012-12-10 10:24 - 2012-12-10 10:24 - 00138696 ____A C:\Windows\Minidump\Mini121012-01.dmp
2012-12-10 10:24 - 2008-02-15 10:44 - 00000000 ____D C:\Windows\Minidump
2012-12-10 10:24 - 2008-02-15 10:43 - 175094407 ____A C:\Windows\MEMORY.DMP
2012-12-10 04:14 - 2011-11-02 03:03 - 00001092 ____A C:\Users\All Users\lxea.log
2012-12-02 14:03 - 2012-12-02 14:03 - 00138696 ____A C:\Windows\Minidump\Mini120212-01.dmp

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-25 09:47:12
Restore point made on: 2012-11-27 08:29:19
Restore point made on: 2012-12-21 03:48:19
Restore point made on: 2012-12-21 05:16:13
Restore point made on: 2012-12-22 05:26:18
Restore point made on: 2012-12-23 09:29:05
Restore point made on: 2012-12-24 07:06:13
Restore point made on: 2012-12-26 07:49:07
Restore point made on: 2012-12-26 08:12:56
Restore point made on: 2012-12-26 10:48:55
Restore point made on: 2012-12-26 13:29:20

==================== Memory info ===========================

Percentage of memory in use: 46%
Total physical RAM: 1014.75 MB
Available physical RAM: 542.92 MB
Total Pagefile: 876.3 MB
Available Pagefile: 690.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1982.35 MB

==================== Partitions =============================

1 Drive c: (SQ004399V03) (Fixed) (Total:73.06 GB) (Free:14.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 1099 KB
Disk 1 Online 3072 KB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 73 GB 1501 MB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004399V03 NTFS Partition 73 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3056 KB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F KJPFLASH FAT Removable 3056 KB Healthy

=========================================================

Last Boot: 2012-12-27 08:18

==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 23-12-2012 01
Ran by SYSTEM at 2012-12-27 10:37:24
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-03-30 04:18] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-08-04 07:14] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2010-03-30 04:18] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 27 December 2012 - 02:20 PM

Hello kjpoehler,

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n. ATTENTION! ====> ZeroAccess
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n
unlock: C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e
end
Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#3 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 December 2012 - 03:30 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-12-2012 01
Ran by SYSTEM at 2012-12-27 14:21:30 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
Could not move C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n.
permissions for C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n restored successfully
Could not move C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n.
Could not move C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e.
Could not move C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e.

==== End of Fixlog ====

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 27 December 2012 - 03:52 PM

Let's give this another try.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
unlock: C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e
unlock: C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e
unlock: C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e
unlock: C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e\n
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e
cmd: rd /q/s C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e
cmd: rd /q/s C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e
end

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#5 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 December 2012 - 04:14 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-12-2012 01
Ran by SYSTEM at 2012-12-27 15:06:14 Run:2
Running from F:\

==============================================

permissions for C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e restored successfully
permissions for C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n restored successfully
C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e\n moved successfully.
Could not move C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e.
permissions for C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e restored successfully
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e\n not found.
C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e moved successfully.

========= rd /q/s C:\$Recycle.Bin\S-1-5-18\$e316fed584e14916660cf758fdc5720e =========


========= End of CMD: =========


========= rd /q/s C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e =========

The system cannot find the file specified.

========= End of CMD: =========


==== End of Fixlog ====

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 27 December 2012 - 05:43 PM

That went good. :thumbup2:

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 27 December 2012 - 06:39 PM

There was only 1 object detected in this scan- I think everything should be taken care of. I appreciate your help.


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.27.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Ryan :: RYAN-PC [administrator]

12/27/2012 5:12:07 PM
mbam-log-2012-12-27 (17-12-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215466
Time elapsed: 25 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-3302994980-3118950705-738168229-1000\$e316fed584e14916660cf758fdc5720e\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 27 December 2012 - 06:47 PM

Yes, that is the one that should be taken care in normal mode as FRST Fixlog indicated too. But this infection tends to alter some services. I would like to assist you restore them. If you don't want it you don't need to follow the steps and just let me know.

  • Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List Winsock Entries
    • List installed programs.
    • List Devices (only check the box and let the default radio button as it is).
    Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


#9 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 28 December 2012 - 10:15 AM

Alright, done. See attachments.

Farbar Service Scanner Version: 23-12-2012
Ran by Ryan (administrator) on 28-12-2012 at 09:08:48
Running from "C:\Users\Ryan\Downloads"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Yahoo.com is offline


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

MiniToolBox by Farbar Version: 25-11-2012
Ran by Ryan (administrator) on 28-12-2012 at 09:11:30
Running from "C:\Users\Ryan\Downloads"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 7.1.8)
ABBYY FineReader 6.0 Sprint (Version: 6.00.1990.41618)
Accessibility (Version: 1.39.0.10)
Acrobat.com (Version: 2.3.0)
Acrobat.com (Version: 2.3.0.0)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe AIR (Version: 1.5.3.9130)
Adobe Community Help (Version: 3.2.1)
Adobe Community Help (Version: 3.2.1.650)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.135)
Adobe Flash Player 11 Plugin (Version: 11.5.502.135)
Adobe Photoshop Elements 9 (Version: 9.0)
Adobe Photoshop.com Inspiration Browser (Version: 3.07)
Adobe Reader 9.5.2 (Version: 9.5.2)
Adobe Shockwave Player (Version: 10.1.4.20)
Agent Ledger Patch (Version: 1.00.0000)
AIO_CDA_ProductContext (Version: 82.0.233.000)
AIO_CDA_Software (Version: 82.0.233.000)
AIO_Scan (Version: 82.0.173.000)
Apple Application Support (Version: 2.2.2)
Apple Mobile Device Support (Version: 6.0.0.59)
Apple Software Update (Version: 2.1.3.127)
Atheros Driver Installation Program (Version: 7.1)
Avira Free Antivirus (Version: 12.1.9.1236)
Boldon James MasterKeyPlus (Version: 5.4.0)
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 82.0.173.000)
C3100 (Version: 82.0.233.000)
c3100_Help (Version: 82.0.233.000)
CD/DVD Drive Acoustic Silencer (Version: 2.01.01)
Copy (Version: 82.0.188.000)
Coupon Printer for Windows (Version: 5.0.0.0)
CP2101 USB to UART Bridge Controller
CustomerResearchQFolder (Version: 1.00.0000)
D3DX10 (Version: 15.4.2368.0902)
Desktop Dialer
Destinations (Version: 82.0.173.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 8.1.0.0)
DocProcQFolder (Version: 1.00.0000)
DVD MovieFactory for TOSHIBA (Version: 5.3)
Elements 9 Organizer (Version: 9.0)
Elements STI Installer (Version: 1.0)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 82.0.188.000)
Feedback Tool (Version: 1.2.0)
Field Technology Contact System
Field Technology Illustration System (Version: 2008.2)
FTIS 2008.2.1 Update
Google Chrome (Version: 23.0.1271.97)
Google Desktop (Version: -)
HP Customer Participation Program 8.0 (Version: 8.0)
HP Imaging Device Functions 8.0 (Version: 8.0)
HP OCR Software 8.0 (Version: 8.0)
HP Photosmart Essential (Version: 1.12.0.46)
HP Photosmart.All-In-One Driver Software 8.0 .A (Version: 8.0)
HP Product Assistant (Version: 100.000.001.000)
HP Solution Center 8.0 (Version: 8.0)
HP Update (Version: 5.003.001.001)
HPDiagnosticAlert (Version: 1.00.0000)
HPProductAssistant (Version: 82.0.173.000)
HPSSupply (Version: 2.1.3.0000)
iCloud (Version: 1.1.0.40)
Intel® Graphics Media Accelerator Driver
InterVideo AVControlSDK
iTunes (Version: 10.7.0.21)
J2SE Runtime Environment 5.0 Update 9 (Version: 1.5.0.90)
Java Auto Updater (Version: 2.0.2.1)
Java™ 6 Update 20 (Version: 6.0.200)
Java™ SE Runtime Environment 6 (Version: 1.6.0.0)
Lexmark 5300 Series
Lexmark Printable Web (Version: 1.0.0.0)
Lexmark S300-S400 Series
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
MarketResearch (Version: 82.0.174.000)
MediaWidget 6.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works (Version: 08.05.0818)
Microsoft XML Parser (Version: 8.20.8730.4)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Mozilla Firefox 10.0.2 (x86 en-US) (Version: 10.0.2)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
Napster Burn Engine (Version: 3.5.0000)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OpenOffice.org 3.2 (Version: 3.2.9502)
Picasa 2 (Version: 2.0)
POWERPREP II (Version: 1.00.0000)
QuickTime (Version: 7.66.71.0)
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Rhapsody Player Engine (Version: 1.0.690)
Scan (Version: 8.1.0.0)
Segoe UI (Version: 15.4.2271.0615)
SkyCaddie Desktop
SolutionCenter (Version: 82.0.188.000)
SoundMAX (Version: 6.10.1.6140)
Status (Version: 82.0.173.000)
Synaptics Pointing Device Driver (Version: 9.1.23.11)
TK8 StickyNotes 3.2
Toolbox (Version: 82.0.173.000)
TOSHIBA Assist (Version: 2.00.03)
TOSHIBA ConfigFree (Version: 7.00.28)
TOSHIBA Disc Creator (Version: 2.0.0.7a)
TOSHIBA DVD PLAYER (Version: 1.00.21)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Music (Version: 1.00.1)
Toshiba Registration (Version: 1.00.0000)
TOSHIBA Software Modem (Version: 2.1.77 (SM2177ALD03))
TOSHIBA Software Upgrades (Version: 4.2)
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TrayApp (Version: 82.0.188.000)
UnloadSupport (Version: 1.00.0000)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
WebReg (Version: 82.0.173.000)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)
WinZip (Version: 11.0 (7313))
XSL Formatter V4.1

========================= Devices: ================================


**** End of log ****

Edited by Farbar, 28 December 2012 - 10:29 AM.
Opened the logs.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 28 December 2012 - 10:39 AM

Yes, some Windows services are damaged.

  • Please download ServicesRepair and save it to your desktop.

    • Double-click ServicesRepair.exe.
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    You may download both x32 and x64 versions of Java from http://www.java.com/en/download/manual.jsp

    Uninstall the following older Java:

    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 20
    Java™ SE Runtime Environment 6


    Then install the downloaded Java versions.
  • Also please post a fresh Farbar Service Scanner log.


#11 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 28 December 2012 - 12:34 PM

I downloaded the 32-bit version of Java- is it imperative to download the 64-bit also?

Here is the FSS log-

Farbar Service Scanner Version: 23-12-2012
Ran by Ryan (administrator) on 28-12-2012 at 11:26:46
Running from "C:\Users\Ryan\Desktop"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 28 December 2012 - 01:52 PM

My bad, indeed no need to to download the 64-bit version.

The services are restored and everything looks good. :thumbup2:

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar or any other program uncheck the box next to it.
    • Run CCleaner. Under Application tab all the boxes should be checked except any option to remove saved passwords.
    • Click Run Cleaner.
    • Close CCleaner.
  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".
Happy Surfing.:)

#13 kjpoehler

kjpoehler
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 28 December 2012 - 04:51 PM

Super! Thank you for all your help, I appreciate it!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:26 PM

Posted 28 December 2012 - 06:17 PM

You are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users