Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not open my firewall in windows 7- virus suspected


  • This topic is locked This topic is locked
47 replies to this topic

#1 ronp08

ronp08

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 May 2013 - 07:24 AM

I am unable to t/on my firewall in windows 7. I have a post in the windows 7 forum and was told to move to this forum. I am unable to run  Microsoft security essentials. I also have Malware bytes which I ran and it detected 7 issues. I removed the issues but am still unable to open my firewall. I have tried all the suggestions posted on the other post in the windows 7 forum with no success.

I have tried to download all of the virus, rootkit and all the repair programs with no success. I also tried to down load the dds download as suggested in the guidelines. All attempts to download result with the same message. " program contains a virus and was deleted". Could definitely use some help because I hate to be online with no firewall.

Thanks in advance for ant assistance

ronp



BC AdBot (Login to Remove)

 


#2 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:49 PM

Posted 25 May 2013 - 12:22 PM

Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • I am currently visiting an evening school and working nightshift only which might be evening for you. In this time I am mostly online with my mobile devices and won't be able to reply.
:spacer:
:spacer:
:spacer:
Is this a 32 or 64bit based Win7 ?
regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#3 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 25 May 2013 - 04:06 PM

Hi Daniel. First of all thank you for the response. Right now I am not at my usual home and do not have access to another computer. I will be back home on Wed. I hope will not close the thread before I can try your suggestions..Thanks again ron

It is a 32bit system



#4 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 May 2013 - 08:22 AM

Hi Daniel. I will return home tomorrow what is the first step that you would like me to perform? Should I download the DDS program to a flash drive and run it on my infected laptop and pot the logs?



#5 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:49 PM

Posted 28 May 2013 - 11:45 AM

Hy there.

You are might infected with a new version of Zero Access trojan and it is a stuborn one :)


Download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log ( FRST.txt ) on the flash drive. Please copy and paste it to your reply.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#6 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 May 2013 - 05:22 PM

Thank you Daniel. I'll be home tomorrow night and will try the steps you outlined and will report to you the results..Thanks Ron



#7 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 30 May 2013 - 02:28 PM

Ok Daniel finally able to do as requested..The following is the log produced by farbar.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-05-2013
Ran by SYSTEM on 30-05-2013 15:20:43
Running from G:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet004
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install [1657448 2009-11-18] ()
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-15] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2013-04-30] (Apple Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKU\ron\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\ron\...\Run: [com.apple.dav.bookmarks.daemon] C:\Program Files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe [ 2013-04-05] (Apple Inc.)
HKU\ron\...\Run: [NVIDIASpace] rundll32.exe "C:\ProgramData\NVIDIASpace\cpuhelper.dll",#2 [x]
Startup: C:\Users\ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NirSoft BlueScreenView ()
Startup: C:\Users\ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NVIDIA GPU Helper.lnk
ShortcutTarget: NVIDIA GPU Helper.lnk -> C:\ProgramData\NVIDIASpace\cpuhelper.dll ()
BootExecute: ?"iolobtdfg C:\Windows\system32"autocheck smrgdf C:\Users\ron\AppData\Roaming\iolo\00000???VC:\Windows\C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE.bat????????????????????????????????????????iles\AVG Secure Search\UninstallRes\ClientPackage\US\???Shttp://download.iolo.net/updates/fileinfodb/3.0/subs/ioloFileInfoList_3.0.183.0.dllset??????????????????????????????????????????3-A7C3-63F660C9C78B" Name="Quattro" Locale="en">

========================== Services (Whitelisted) =================

S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1072664 2013-05-21] (iolo technologies, LLC)
S4 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [26248 2012-08-02] (EldoS Corporation)
S3 guardian2; C:\Windows\System32\Drivers\oz776.sys [69664 2009-09-09] (O2Micro)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-08-02] (Raxco Software, Inc.)
S3 silabenm; C:\Windows\System32\DRIVERS\silabenm.sys [17920 2009-04-07] (Silicon Laboratories, Inc.)
S3 silabser; C:\Windows\System32\DRIVERS\silabser.sys [60544 2009-04-07] (Silicon Laboratories)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-30 15:20 - 2013-05-30 15:20 - 00000000 ____D C:\FRST
2013-05-29 20:28 - 2013-05-29 20:28 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-05-24 04:02 - 2012-08-02 07:21 - 00026248 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys
2013-05-23 20:24 - 2013-05-23 20:24 - 00000000 ____D C:\ProgramData\NVIDIASpace
2013-05-23 20:23 - 2013-05-23 20:23 - 00067584 ____A C:\Users\ron\javaw.dll
2013-05-23 18:10 - 2013-05-23 18:10 - 00000000 ____A C:\Windows\System32\0
2013-05-22 18:02 - 2013-05-22 18:02 - 00001822 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2013-05-22 18:00 - 2013-05-22 18:00 - 00001760 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-05-22 17:59 - 2013-05-22 18:00 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-05-15 20:41 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-15 20:41 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-15 20:41 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-15 20:40 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-15 20:40 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-15 20:40 - 2013-04-04 21:28 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-15 20:40 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-15 20:40 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-15 20:40 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-15 03:44 - 2013-04-09 21:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-15 03:44 - 2013-04-09 21:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-15 03:44 - 2013-04-09 19:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-15 03:44 - 2013-03-18 20:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-05-15 03:44 - 2013-03-18 19:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-15 03:44 - 2013-02-26 21:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-15 03:44 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-15 03:44 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-15 03:44 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-15 03:44 - 2013-02-26 20:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00745472 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00523264 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00185344 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00138752 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00137216 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00125440 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00117248 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00079872 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00038400 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-05-10 02:52 - 2013-05-10 02:52 - 01441280 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-10 02:52 - 2013-05-10 02:52 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-05-10 02:52 - 2013-05-10 02:52 - 00719360 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00629248 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00361984 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-05-10 02:52 - 2013-05-10 02:52 - 00357888 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00242200 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00232960 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00073728 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-05-10 02:52 - 2013-05-10 02:52 - 00069120 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00061952 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-05-10 02:52 - 2013-05-10 02:52 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-05-10 02:50 - 2013-05-10 02:55 - 00008107 ____A C:\Windows\IE10_main.log
2013-04-30 23:59 - 2013-04-30 23:59 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2013-04-30 23:59 - 2013-04-30 23:59 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts

==================== One Month Modified Files and Folders ========

2013-05-30 15:20 - 2013-05-30 15:20 - 00000000 ____D C:\FRST
2013-05-30 11:17 - 2012-10-02 18:59 - 01531554 ____A C:\Windows\WindowsUpdate.log
2013-05-30 11:17 - 2009-07-13 20:34 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-30 11:17 - 2009-07-13 20:34 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-30 11:15 - 2013-03-26 17:31 - 00000000 ____D C:\Users\ron\AppData\Roaming\U3
2013-05-30 11:13 - 2012-10-02 17:45 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-30 11:12 - 2013-01-15 04:38 - 00000342 ____A C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job
2013-05-30 11:12 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 11:12 - 2009-07-13 20:39 - 00032872 ____A C:\Windows\setupact.log
2013-05-30 10:52 - 2012-10-02 17:45 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-30 10:23 - 2012-12-16 11:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-30 08:13 - 2012-10-02 16:27 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-29 20:36 - 2012-10-02 16:25 - 00000000 ____D C:\users\ron
2013-05-29 20:28 - 2013-05-29 20:28 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-05-28 14:35 - 2012-10-02 17:56 - 00316236 ____A C:\Windows\PFRO.log
2013-05-26 15:35 - 2009-07-13 20:34 - 00012288 ____A C:\Windows\System32\umstartup.etl
2013-05-26 15:32 - 2009-07-13 20:53 - 00029938 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-24 18:30 - 2009-07-13 20:34 - 00012288 ____A C:\Windows\System32\umstartup000.etl
2013-05-24 04:01 - 2012-10-02 18:50 - 00000000 ____D C:\ProgramData\iolo
2013-05-24 03:43 - 2012-10-02 18:54 - 00002172 ____A C:\Users\ron\Desktop\System Mechanic.lnk
2013-05-23 20:24 - 2013-05-23 20:24 - 00000000 ____D C:\ProgramData\NVIDIASpace
2013-05-23 20:23 - 2013-05-23 20:23 - 00067584 ____A C:\Users\ron\javaw.dll
2013-05-23 19:38 - 2012-10-07 09:39 - 00000000 ____D C:\Users\ron\AppData\Local\Windows Live
2013-05-23 19:38 - 2012-04-27 15:04 - 00000000 ____D C:\Program Files\Windows Live
2013-05-23 19:16 - 2012-10-07 09:33 - 00000000 ____D C:\Program Files\Common Files\Windows Live
2013-05-23 19:15 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-05-23 18:39 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-05-23 18:10 - 2013-05-23 18:10 - 00000000 ____A C:\Windows\System32\0
2013-05-23 07:33 - 2012-10-02 18:50 - 00000000 ____D C:\Users\ron\AppData\Roaming\iolo
2013-05-23 03:25 - 2012-10-02 19:18 - 00000000 ____D C:\Windows\System32\config\SM Registry Backup
2013-05-22 20:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-05-22 18:02 - 2013-05-22 18:02 - 00001822 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2013-05-22 18:02 - 2012-02-10 13:10 - 00000000 ____D C:\Program Files\QuickTime
2013-05-22 18:00 - 2013-05-22 18:00 - 00001760 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-05-22 18:00 - 2013-05-22 17:59 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-05-22 18:00 - 2012-03-29 05:23 - 00000000 ____D C:\Program Files\iTunes
2013-05-22 17:59 - 2012-10-02 19:38 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-05-22 17:59 - 2012-02-10 13:06 - 00000000 ____D C:\Program Files\iPod
2013-05-21 20:08 - 2012-10-02 18:54 - 00041616 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
2013-05-21 20:08 - 2012-10-02 18:54 - 00023568 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
2013-05-21 19:48 - 2012-10-02 18:54 - 02097472 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
2013-05-19 23:22 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-05-16 04:48 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-05-16 04:12 - 2009-07-13 20:33 - 00294440 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-15 20:33 - 2012-10-05 04:23 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-15 04:23 - 2012-12-16 11:51 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-15 04:23 - 2012-12-16 11:51 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-05-15 03:33 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Branding
2013-05-10 02:55 - 2013-05-10 02:50 - 00008107 ____A C:\Windows\IE10_main.log
2013-05-10 02:53 - 2013-05-10 02:53 - 00745472 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00523264 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00185344 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00138752 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00137216 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00125440 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00117248 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00082432 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00079872 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00038400 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-05-10 02:53 - 2013-05-10 02:53 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-05-10 02:53 - 2013-05-10 02:53 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-05-10 02:52 - 2013-05-10 02:52 - 01441280 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-10 02:52 - 2013-05-10 02:52 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-05-10 02:52 - 2013-05-10 02:52 - 00719360 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00629248 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00361984 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-05-10 02:52 - 2013-05-10 02:52 - 00357888 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00242200 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00232960 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00073728 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-05-10 02:52 - 2013-05-10 02:52 - 00069120 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00061952 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-05-10 02:52 - 2013-05-10 02:52 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-05-10 02:52 - 2013-05-10 02:52 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-05-08 09:47 - 2012-11-06 05:13 - 00000000 ____D C:\ProgramData\CanonIJPLM
2013-05-06 06:39 - 2013-04-02 12:21 - 00000000 ____D C:\Users\ron\Documents\Receipts
2013-05-02 07:28 - 2012-10-02 16:55 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-30 23:59 - 2013-04-30 23:59 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2013-04-30 23:59 - 2013-04-30 23:59 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-512976243-2268524125-934994613-1000\$0a2fb8dd3b3b743814c8ff26a575c08b

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0a2fb8dd3b3b743814c8ff26a575c08b

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-27 18:36:22

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3069.97 MB
Available physical RAM: 2613.1 MB
Total Pagefile: 3068.25 MB
Available Pagefile: 2614.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1931.34 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.33 GB) (Free:11.47 GB) NTFS
Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive g: () (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System) (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 75 GB) (Disk ID: 4DA6963E)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: C22AC22A)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)

Last Boot: 2013-05-30 08:43

==================== End Of Log ================



#8 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:49 PM

Posted 31 May 2013 - 04:13 AM

Download attached Attached File  fixlist.txt   299bytes   12 downloads file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

Edited by Larusso, 31 May 2013 - 04:13 AM.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#9 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 31 May 2013 - 12:47 PM

Attached File  Fixlog.txt   734bytes   4 downloads

 

 

For some reason I was note able to cut and paste from the clipboard so I posted it as an attachment.. Let me know what you would like me to do next...Thanks again


Edited by ronp08, 31 May 2013 - 12:49 PM.


#10 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:49 PM

Posted 31 May 2013 - 03:36 PM

Hy there.
Please delete any existing fixlist.txt files


Download attached Attached File  fixlist.txt   133bytes   8 downloads file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.



Please download ESET's ServiceRepair.exe to your desktop.

Doubleclick on the file and click Yes on the first Messagebox.
When done, the tool will ask for a reboot to complete the fix. Please allow it.
If it doesn't ask you to reboot your PC, please perform a manuall reboot.



Please download Farbar's Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#11 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 31 May 2013 - 03:50 PM

Where do I run the frst. I don't have the frst64 downloaded. I have a 32 bit system.



#12 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 31 May 2013 - 06:31 PM

Sorry I had to attach the file again. for some reason it will not let me paste..Attached File  FSS.txt   4.56KB   3 downloads



#13 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 31 May 2013 - 06:37 PM

This is the other log you requested

 

ix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-05-2013
Ran by ron at 2013-05-31 18:55:48 Run:2
Running from F:\
Boot Mode: Normal

==============================================

"C:\Program Files\Windows Defender" => Deleting junctions and unlocking files completed successfully.
"C:\Program Files\Microsoft Security Client" => Deleting junctions and unlocking files completed successfully.

==== End of Fixlog ====

 



#14 Larusso

Larusso

    Raggamuffin


  • Malware Response Team
  • 305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austria
  • Local time:01:49 PM

Posted 01 June 2013 - 05:06 AM

Hy there.

A little bit more work we have to do now.
First of all, we need to reinstall MSE

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):
Microsoft Security Essentials

Reboot when done



Download the MSE installer from here --> Microsoft Security Essentials and reinstall it.



Please download the following .reg files to your desktop :spacer: :spacer:
:spacer: :spacer:
:spacer:
:spacer:
  • Double click on each of them and allow the modification of the registry.
    Reboot after the last file, re-run FSS.exe as before and post the FSS.txt here please. :)

Edited by Larusso, 01 June 2013 - 05:07 AM.

regards,
Daniel

Bread for the world instead Bombs and Bangers


I'll always help for free but if you want to support me in my fight against malware, please btn_donate_SM.gif

#15 ronp08

ronp08
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 01 June 2013 - 06:42 AM

I deleted MSE as requested and tried to download it again. Message states it was not successful, an error occurred, restart your computer and try again. Tried 2 times same message. Also downloaded all the other items requested with no issues.. Thank you again for all your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users