Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can no longer apply microsoft updates


  • This topic is locked This topic is locked
36 replies to this topic

#1 Jeff N

Jeff N

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 18 January 2013 - 11:42 AM

was applying microsoft updates and go the message "Updates were not configured correctly. Reverting changes." rebooted machine and no I cannot even download the updates. the Windows Update service will not start, just stays in status of starting. Machine seems to be awfully slow now. This is a Toshiba Satellite L355 with Windows Home Basic SP2. I downloaded dss.com and tried to run it but get a popup box stating "A devise attached to the system is not functioning".

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 20 January 2013 - 08:37 AM

please run the following:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    DRIVES
    CREATERESTOREPOINT
    BASESERVICES
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 January 2013 - 07:25 PM

cannot run OTL.exe get Pop up error box saying "A device attached to the system is not functioning". same error occurs trying to run aswMBR.exe. I have attached the errorAttached File  OTL_Error.jpg   12.52KB   1 downloads

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 21 January 2013 - 07:27 PM

what operating system is this

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 January 2013 - 07:35 PM

Vista Home Basic Service Pack 2

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 21 January 2013 - 07:36 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 January 2013 - 08:02 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 21-01-2013 19:58:20
Running from F:\
Windows Vista ™ Home Basic Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [505720 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-05-09] (TOSHIBA Corporation)
HKLM\...\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [cfFncEnabler.exe] cfFncEnabler.exe [x]
HKLM\...\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2009-11-11] (Google)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115560 2009-10-01] (Symantec Corporation)
HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXRCV] "C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe" [495616 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe" [856064 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EaseUs Watch] "C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe" [70728 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM\...\Run: [EaseUs Tray] "C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe" [751176 2012-08-07] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\colleen\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\colleen\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-07-23] (Google Inc.)
HKU\colleen\...\Run: [HLBackupScheduler] C:\Program Files\Backup Assistant Plus\V CAST Backup Scheduler.exe [x]
HKU\colleen\...\Run: [Google Update] "C:\Users\colleen\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-09-13] (Google Inc.)
HKU\colleen\...\Run: [Akamai NetSession Interface] "C:\Users\colleen\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
HKU\colleen\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\colleen\...\Run: [EPLTarget\P0000000000000000] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TATIHSA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 845" [219008 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\colleen\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59280 2012-08-29] (Apple Inc.)
HKU\colleen\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_278_ActiveX.exe -update activex [690096 2012-09-30] (Adobe Systems Incorporated)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\TEMP\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Startup: C:\Users\colleen\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\colleen\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()

==================== Services (Whitelisted) ===================

2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 ccEvtMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-10-01] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-10-01] (Symantec Corporation)
2 ConfigFree Service; "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" [40960 2008-04-16] (TOSHIBA CORPORATION)
2 EaseUS Agent; C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe [69192 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
2 EpsonCustomerParticipation; "C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe" [521600 2011-06-09] (SEIKO EPSON CORPORATION)
3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [246520 2010-03-23] (WildTangent, Inc.)
3 GoogleDesktopManager-110309-193829; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2009-11-11] (Google)
2 Guard Agent; C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe [23624 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2009-07-13] (Symantec Corporation)
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 SmcService; "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" [1864888 2009-10-01] (Symantec Corporation)
4 SNAC; "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" [341320 2009-10-01] (Symantec Corporation)
2 Symantec AntiVirus; "C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [2477304 2009-10-01] (Symantec Corporation)
3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2011-02-11] (TOSHIBA Corporation)
2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [431456 2008-02-06] (TOSHIBA Corporation)
3 TOSHIBA SMART Log Service; "C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe" [126976 2007-12-03] (TOSHIBA Corporation)
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 XAudioService; C:\Windows\System32\DRIVERS\ACFXAU32.exe [386560 2007-07-29] (Conexant Systems, Inc.)
2 Akamai; c:\program files\common files\akamai/netsession_win_ce5ba24.dll [x]

==================== Drivers (Whitelisted) ====================

3 acfva; C:\Windows\System32\DRIVERS\ACFVA32.sys [86656 2007-06-29] (Conexant Systems Inc.)
3 COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [23888 2009-10-01] (Symantec Corporation)
3 CXPLRCAP; C:\Windows\System32\drivers\CxPlrCap.sys [187776 2010-01-06] (Conexant Systems, Inc.)
3 dgcfltr; C:\Windows\System32\DRIVERS\ACFDCP32.sys [28928 2007-07-29] (Conexant Systems, Inc.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
3 EraserUtilDrv11220; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [106656 2013-01-08] (Symantec Corporation)
0 EUBAKUP; C:\Windows\System32\drivers\eubakup.sys [50248 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [41544 2012-08-20] ()
1 EUDSKACS; \??\C:\Windows\system32\drivers\eudskacs.sys [15944 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
1 EUFDDISK; \??\C:\Windows\system32\drivers\EuFdDisk.sys [185928 2012-08-03] (CHENGDU YIWO Tech Development Co., Ltd)
3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK32.sys [12672 2007-03-15] (Conexant)
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130120.018\NAVENG.SYS [93296 2013-01-17] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130120.018\NAVEX15.SYS [1603824 2013-01-17] (Symantec Corporation)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347648 2009-06-10] (Realtek Semiconductor Corporation )
1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)
1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2009-10-01] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [281648 2009-10-01] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320560 2009-10-01] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2009-10-01] (Symantec Corporation)
3 SVRPEDRV; \??\C:\Windows\System32\sysprep\PEDrv.sys [9216 2008-01-18] (Inventec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2009-10-20] (Symantec Corporation)
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2011-02-13] (LG Electronics Inc.)
3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [20864 2011-02-13] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [25216 2011-02-13] (LG Electronics Inc.)
2 XAudio; C:\Windows\System32\DRIVERS\ACFXAU32.sys [8704 2007-07-29] (Conexant Systems, Inc.)
3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-14 19:01 - 2013-01-14 19:01 - 00135384 ____A C:\Windows\Minidump\Mini011413-01.dmp
2012-12-26 18:21 - 2012-12-26 18:21 - 00000000 __SHD C:\found.000
2012-12-22 11:30 - 2012-12-22 11:30 - 00000000 __SHD C:\$RECYCLE(1).BIN
2012-12-22 11:26 - 2012-12-22 11:26 - 00000000 ____D C:\xyzeee
2012-12-22 11:25 - 2012-12-22 11:25 - 00000000 ____D C:\Qoobox
2012-12-22 11:22 - 2012-12-22 11:26 - 00000000 ___SD C:\32788R22FWJFW
2012-12-22 11:22 - 2012-12-22 11:26 - 00000000 ____D C:\Windows\erdnt


==================== One Month Modified Files and Folders ========

2013-01-21 19:57 - 2013-01-21 19:57 - 00000000 ____D C:\FRST
2013-01-21 16:54 - 2006-11-02 04:58 - 00032606 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-21 16:53 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-21 16:53 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-21 16:53 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-21 16:18 - 2011-10-20 15:21 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000Core.job
2013-01-21 16:18 - 2010-01-31 06:57 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-21 16:09 - 2011-10-20 15:21 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000UA.job
2013-01-21 16:09 - 2010-05-26 17:25 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-21 16:08 - 2012-10-24 17:11 - 00000000 ____D C:\Users\colleen\AppData\Local\50CE3480-1222-4418-9FD5-7637EC004E35.aplzod
2013-01-18 15:56 - 2009-08-16 13:48 - 00002633 ____A C:\Users\colleen\Desktop\Microsoft Office Outlook 2007.lnk
2013-01-15 17:34 - 2009-08-15 20:47 - 00000000 ____D C:\Users\colleen\AppData\Local\Google
2013-01-15 01:13 - 2011-10-20 15:22 - 00002063 ____A C:\Users\colleen\Desktop\Google Chrome.lnk
2013-01-14 23:02 - 2009-07-30 16:33 - 01594585 ____A C:\Windows\WindowsUpdate.log
2013-01-14 22:53 - 2006-11-02 02:33 - 00721764 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-14 21:43 - 2011-11-09 16:09 - 00000000 ____D C:\Users\colleen\AppData\Local\Akamai
2013-01-14 21:43 - 2009-10-25 16:08 - 00000000 ___SD C:\Users\colleen\Documents\My Data Sources
2013-01-14 21:43 - 2009-08-16 13:36 - 00000000 ____D C:\Users\colleen\AppData\Local\Microsoft Help
2013-01-14 21:43 - 2006-11-02 03:18 - 00000000 __RSD C:\Windows\Media
2013-01-14 21:43 - 2006-11-02 03:18 - 00000000 ___RD C:\users\Public
2013-01-14 21:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2013-01-14 21:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-01-14 21:43 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2013-01-14 21:43 - 2006-11-02 02:22 - 61079552 ____A C:\Windows\System32\config\software_previous
2013-01-14 21:43 - 2006-11-02 02:22 - 19136512 ____A C:\Windows\System32\config\system_previous
2013-01-14 21:42 - 2012-03-04 07:01 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-01-14 21:42 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2013-01-14 21:33 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\LogFiles
2013-01-14 21:33 - 2006-11-02 02:22 - 36438016 ____A C:\Windows\System32\config\components_previous
2013-01-14 21:33 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-01-14 19:02 - 2009-08-18 04:14 - 00000000 ____D C:\Program Files\Common Files\Akamai
2013-01-14 19:01 - 2013-01-14 19:01 - 00135384 ____A C:\Windows\Minidump\Mini011413-01.dmp
2013-01-14 19:01 - 2010-03-18 18:34 - 00000000 ____D C:\Windows\Minidump
2013-01-14 19:01 - 2010-03-18 18:33 - 224989391 ____A C:\Windows\MEMORY.DMP
2013-01-11 11:52 - 2006-11-02 02:22 - 05242880 ____A C:\Windows\System32\config\default_previous
2013-01-11 11:52 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-01-11 11:46 - 2008-01-20 19:02 - 00129084 ____A C:\Windows\PFRO.log
2013-01-07 16:07 - 2012-11-20 16:33 - 00010944 ____N C:\Users\colleen\Documents\DataVault.dat
2013-01-07 16:07 - 2012-11-20 16:32 - 00000000 ____D C:\Users\colleen\Documents\Automatic backups
2013-01-06 08:32 - 2008-09-30 11:54 - 00000000 ____D C:\Users\All Users\Adobe
2012-12-26 18:21 - 2012-12-26 18:21 - 00000000 __SHD C:\found.000
2012-12-22 11:30 - 2012-12-22 11:30 - 00000000 __SHD C:\$RECYCLE(1).BIN
2012-12-22 11:26 - 2012-12-22 11:26 - 00000000 ____D C:\xyzeee
2012-12-22 11:26 - 2012-12-22 11:22 - 00000000 ___SD C:\32788R22FWJFW
2012-12-22 11:26 - 2012-12-22 11:22 - 00000000 ____D C:\Windows\erdnt
2012-12-22 11:25 - 2012-12-22 11:25 - 00000000 ____D C:\Qoobox


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-13 09:16:15
Restore point made on: 2012-11-14 21:00:14
Restore point made on: 2012-11-14 21:03:15
Restore point made on: 2012-11-15 00:00:34
Restore point made on: 2012-11-15 21:00:14
Restore point made on: 2012-11-15 21:03:03
Restore point made on: 2012-11-18 09:55:32
Restore point made on: 2012-11-20 02:31:28
Restore point made on: 2012-11-20 21:00:13
Restore point made on: 2012-11-20 21:03:16
Restore point made on: 2012-11-30 10:25:07
Restore point made on: 2012-12-01 14:35:23
Restore point made on: 2012-12-01 14:38:28
Restore point made on: 2012-12-03 21:04:28
Restore point made on: 2012-12-04 10:54:56
Restore point made on: 2012-12-05 21:00:14
Restore point made on: 2012-12-05 21:03:05
Restore point made on: 2012-12-07 19:18:09
Restore point made on: 2012-12-08 21:00:09
Restore point made on: 2012-12-08 21:03:03
Restore point made on: 2012-12-11 04:34:08
Restore point made on: 2012-12-17 21:00:26
Restore point made on: 2012-12-24 21:01:21

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 2939.26 MB
Available physical RAM: 2529.12 MB
Total Pagefile: 2734.82 MB
Available Pagefile: 2596.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1967.56 MB

==================== Partitions =============================

1 Drive c: (SQ004981V02) (Fixed) (Total:224.2 GB) (Free:122.55 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
4 Drive f: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 250 MB 0 B

Partitions of Disk 0:
===============

Disk ID: D3D93FCE

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 224 GB 1501 MB
Partition 3 Primary 7389 MB 226 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004981V02 NTFS Partition 224 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Disk ID: 8EFD40D4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 250 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT Removable 250 MB Healthy

=========================================================

Last Boot: 2013-01-15 19:18

==================== End Of Log ============================

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 21 January 2013 - 08:39 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
TDL4: custom:26000022
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 January 2013 - 09:17 PM

below is the fixlog.txt. Tried to run Combofix and got popup box message "A device attached to the system is not functioning"


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-21 21:06:07 Run:1
Running from F:\

==============================================


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 21 January 2013 - 09:20 PM

are you able to boot into safe mode?

if so, try running ComboFix in safe mode

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 January 2013 - 10:18 PM

I was able to run combofix in safe mode. When I tried to reboot system said it could not start and ask if I wanted to to a start up repair. So I did a start up repair but did not do a restore from a prior restore point. the repair said it could not repair, but when I started to machine up again it started. here is the log from the combofix


ComboFix 13-01-21.04 - colleen 01/21/2013 21:39:17.1.1 - x86 MINIMAL
Running from: c:\users\colleen\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\TotalRecipeSearch_14EI
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
.
((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 )))))))))))))))))))))))))))))))
.
.
2013-01-22 03:57 . 2013-01-22 03:57 -------- d-----w- C:\FRST
2013-01-22 02:46 . 2013-01-22 02:47 -------- d-----w- c:\users\colleen\AppData\Local\temp
2013-01-22 02:46 . 2013-01-22 02:46 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2013-01-22 02:46 . 2013-01-22 02:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-15 03:03 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF9CF592-E3BC-4763-9A79-895767A6B71B}\mpengine.dll
2012-12-27 02:21 . 2012-12-27 02:21 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Akamai NetSession Interface"="c:\users\colleen\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHSA.EXE" [2011-04-24 219008]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-08-29 59280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-12 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-01 115560]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2012-08-04 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2012-08-07 751176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OneNote Table Of Contents.onetoc2 [2009-8-17 3656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 14:56]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 14:56]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000Core.job
- c:\users\colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-20 11:13]
.
2013-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000UA.job
- c:\users\colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-20 11:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Save to DataVault - file://c:\program files\DataVault/iemenuext.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKCU-Run-HLBackupScheduler - c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-21 21:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\colleen\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2013-01-21 21:50:39
ComboFix-quarantined-files.txt 2013-01-22 02:50
.
Pre-Run: 135,259,701,248 bytes free
Post-Run: 135,545,892,864 bytes free
.
- - End Of File - - 95229F8554E69BE9D701F2330151D0D5

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 22 January 2013 - 06:35 PM

well it looks like we are making a little bit of headway

please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 22 January 2013 - 08:37 PM

Had to run in Safe Mode because was still getting "A device attached to the system is not functioning". Also had to try 3 times to get combofix to run. It would do the backup and then extract file and just end. After the 3rd try it finally ran.

ComboFix 13-01-22.01 - colleen 01/22/2013 19:59:52.1.1 - x86 NETWORK
Running from: c:\users\colleen\Desktop\ComboFix.exe
Command switches used :: c:\users\colleen\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-12-23 to 2013-01-23 )))))))))))))))))))))))))))))))
.
.
2013-01-23 01:08 . 2013-01-23 01:08 -------- d-----w- c:\users\colleen\AppData\Local\temp
2013-01-23 01:08 . 2013-01-23 01:08 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2013-01-23 01:08 . 2013-01-23 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-22 03:57 . 2013-01-22 03:57 -------- d-----w- C:\FRST
2013-01-15 03:03 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AF9CF592-E3BC-4763-9A79-895767A6B71B}\mpengine.dll
2012-12-27 02:21 . 2012-12-27 02:21 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Akamai NetSession Interface"="c:\users\colleen\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHSA.EXE" [2011-04-24 219008]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-08-29 59280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-12 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-01 115560]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2012-08-04 70728]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2012-08-07 751176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\colleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OneNote Table Of Contents.onetoc2 [2009-8-17 3656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 14:56]
.
2013-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 14:56]
.
2013-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000Core.job
- c:\users\colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-20 11:13]
.
2013-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-40586277-2690623058-818095912-1000UA.job
- c:\users\colleen\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-20 11:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Save to DataVault - file://c:\program files\DataVault/iemenuext.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-22 20:08
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2013-01-22 20:11:48
ComboFix-quarantined-files.txt 2013-01-23 01:11
ComboFix2.txt 2013-01-22 02:50
.
Pre-Run: 135,953,158,144 bytes free
Post-Run: 135,901,552,640 bytes free
.
- - End Of File - - 637735BC58B07BAD6AC927358921EC4F

First Rouge Killer file
RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : colleen [Admin rights]
Mode : Scan -- Date : 01/22/2013 20:24:16

Bad processes : 0

Registry Entries : 3
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7c11ab4aaf4bfb91f313e8ddbec3eaf7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 39489359c62de1be5f3d9e3137dde5d7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 39489359c62de1be5f3d9e3137dde5d7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 2d29ceb50ea164750364e6b95039f66b
[BSP] 30519f6eee579cbe539fbefbaeb69009 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 249 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_01222013_02d2024.txt >>
RKreport[1]_S_01222013_02d2024.txt



Second Rogue Killer file

RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : colleen [Admin rights]
Mode : Remove -- Date : 01/22/2013 20:25:00

Bad processes : 0

Registry Entries : 3
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [NOT LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7c11ab4aaf4bfb91f313e8ddbec3eaf7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 39489359c62de1be5f3d9e3137dde5d7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 39489359c62de1be5f3d9e3137dde5d7
[BSP] 2857e76fbbd288da18431967399ed734 : Windows Vista MBR Code
Partition table:
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 229585 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473264128 | Size: 7389 Mo

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 2d29ceb50ea164750364e6b95039f66b
[BSP] 30519f6eee579cbe539fbefbaeb69009 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 249 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_01222013_02d2025.txt >>
RKreport[1]_S_01222013_02d2024.txt ; RKreport[2]_D_01222013_02d2025.txt



Third Rogue Killer file

RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : colleen [Admin rights]
Mode : Shortcuts HJfix -- Date : 01/22/2013 20:25:17

Bad processes : 0

Driver : [NOT LOADED]

File attributes restored:
Desktop: Success 1 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 18 / Fail 0
Start menu: Success 11 / Fail 0
User folder: Success 123 / Fail 0
My documents: Success 9 / Fail 9
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 75 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 97 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[Y:] \Device\LanmanRedirector\;Y:0000000000016719\READYSHARE\USB_Storage\Colleen -- 0x4 --> Skipped
[Z:] \Device\LanmanRedirector\;Z:0000000000016719\EPSONBABCB9\MEMORYCARD -- 0x4 --> Skipped

Finished : << RKreport[3]_SC_01222013_02d2025.txt >>
RKreport[1]_S_01222013_02d2024.txt ; RKreport[2]_D_01222013_02d2025.txt ; RKreport[3]_SC_01222013_02d2025.txt

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:43 AM

Posted 22 January 2013 - 08:54 PM

please try the following in normal mode

if the scans wont run in normal mode, then try them in safe mode (with networking)

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Jeff N

Jeff N
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 23 January 2013 - 07:33 AM

could not run jrt or adwcleaner in normal mode again got "A device attached to the system is not functioning. Ran them in safe mode. When adwcleaner reboot it rebooted into normal mode but did not generate a log.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.8 (01.21.2013:2)
OS: Windows Vista ™ Home Basic x86
Ran by colleen on Tue 01/22/2013 at 21:40:53.63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7}



~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\coupons"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/22/2013 at 21:47:31.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.23.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
colleen :: COLLEEN-PC [administrator]

1/22/2013 10:25:48 PM
mbam-log-2013-01-22 (22-25-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 301912
Time elapsed: 33 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

EFETSCAN.txt
C:\Users\colleen\Downloads\7zip_installer_d793193.exe probably a variant of Win32/InstallIQ application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F2IVNS6D\cell-unhappy[1].htm JS/Exploit.Agent.NEC.Gen trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users