Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 repair


  • This topic is locked This topic is locked
19 replies to this topic

#1 SysTech Guy

SysTech Guy

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 14 June 2013 - 06:55 PM

I am attempting to do a Repair via an installed disk on a Windows 7 Pro laptop.

 

Link to original post.

 

http://www.bleepingcomputer.com/forums/t/498028/windows-7-repair/

 

 

History:

User contacted me saying that when she tries to download ANY file, the browser flags it as a virus and will not download.

- This could be repliaced with Chrome and IE..logged in as that user...another local account, plus the domain administrator account

- I could download the same file's without issue from another computer

- Ran Malware bytes..it picked up a number of infections and cleaned...however issue still persisted.

- Ran Malware bytes again, Came up clean..issue still persisted.

- Installed SAV (no apparent virus protection) updated SAV and ran scan..no infections found...issue still persisted.

- Ran tdss killer utility...no rootkits found...issue persisted

- Did some research and discovered that this 'could' be attributed to a faulty AV install that was corrupted

- Found MSSE in Add remove programs...could not remove

- Downloaded Microsoft Uninstall Utility...uninstalled MSSE..tried to install again to then do a 'clean' uninstall...MSSE still recognized MSSE as being installed.

- Went through registry (backed up first) and removed entries for Micorosft Security Essentials, Microsoft Security Client and Antimalware

- Ran CCleaner.

- Browser issue is gone...I can now download files from browser...however, I tried to do a Windows update...Received Windows Update error 80073712

- Renamed SoftwareDistribuion file in Windows directory...Windows update issue still persists

- Tried method of installing from OEM install disk....http://windows.microsoft.com/en-us/windows7/windows-update-error-80073712  Received error that Setup has failed and to restart computer.  I tried two more times..same issue.

- Uninstalled SAV and verified firewall was off...still an issue with trying to repar OS

- I created a new local admin level account....still an issue with trying to repair OS

- Rebooted Windows with only services and tried another repair...still an issue with trying to repair OS

- Ran a check disk..option to repair corrupted files...still an issue with trying to repair OS and run system updates

 

 

Other symptoms

- Tried to run a sfc/scannow..received message "Windows Resource Protection could not perform the requested operation"

- When I go to add remove programs and click 'View Updates' it just brings up a blank box.

 

In the link at the very top, it references a post where I included the WindowsUpdate log file that will show today and yesterday.

 

Any assistance would be appreciated.

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:33 PM

Posted 15 June 2013 - 06:28 AM

You should post any logs from the tools you have run for people to look at, gives people a better view of what has already been removed.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 15 June 2013 - 07:22 PM

The only scans that produced problems were Malware Bytes and CC cleaner.  I didn't save the text file for Malware Bytes.  However, did a second scan...after verifying that the database was updated..and it came up clean.

 

CC cleaner, to my knowledge, does not auto save the logs...but I didn't save that text file either.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:33 PM

Posted 16 June 2013 - 03:53 AM

If you still have Malwarebytes on the infected computer, please open it up and go to the logs tab along the top. Post any logs you have in there (normally called mbam-log).

I'm not even sure that CCleaner produces logs to be honest, I think not since it has not done that for me before.

 

I'm also going to get another member of the team to help you out.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 16 June 2013 - 04:31 AM

Hello,

These symptoms are sometimes seen with a serious rootkit infection. Therefore I recommend to post the MBAM log if you have it, but do no further steps to attempt to forcefully remove MSSE as this could cause serious damage.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 07:19 AM

Can't seem to add an attachment to a post...

 

Here is the initial Malware scan and clean up.  Subsequent scans turned up clean.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.07.08
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: W7-CINDY [administrator]
 
6/7/2013 12:02:07 PM
mbam-log-2013-06-07 (12-02-07).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 465127
Time elapsed: 1 hour(s), 40 minute(s), 51 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 4
c:\users\czelby\appdata\local\temp\63907010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\czelby\AppData\Local\Temp\is456666025\MyCalendarSetup-04.07.2012.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\czelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\56e852e0-6ed43998 (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-1471356020-3249294952-1347200939-1129\$R629A7780 (Rootkit.0Access) -> Quarantined and deleted successfully.
 
(end)
 

 



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 16 June 2013 - 08:22 AM

Hi again,

Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 10:34 AM

Ran Rkill...it found zero access entries on C: drive.  Run Malware Bytes again?

Rkill 2.5.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/16/2013 09:49:03 AM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * c:\Windows\system32\srvany.exe (PID: 1284) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_b56e56591cecccb4\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpClient.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0\MsMpRes.dll => c:\windows\system32\config [File]

Checking Windows Service Integrity: 

 * WinDefend (WinDefend) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * No issues found.

Program finished at: 06/16/2013 09:49:40 AM
Execution time: 0 hours(s), 0 minute(s), and 36 seconds(s)


Edited by SysTech Guy, 16 June 2013 - 10:34 AM.


#9 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 11:09 AM

Try Combo Fix next?  Still issue with running MS updates.


Edited by SysTech Guy, 16 June 2013 - 11:10 AM.


#10 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 11:20 AM

Initiating a ComboFix scan



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 16 June 2013 - 01:24 PM

If you already ran combofix, please post the log. If not, please post back here. Combofix is an advanced tool, its not recommended to run it unsupervised.

Also a word of caution, do not attempt to manually remove the MSSE folders, doing this at this point will delete the complete windows registry due to the set junctions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 01:28 PM

Interesting thing I found...Windows Components is corrupted.  When I try to open in Registry .. HKLM Components...I receive the error "Components cannot be opened.  An erro is preventing this key from being opened..Details.  access is denied.



#13 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 01:37 PM

This describes my issue exactly...Tried all methods..all do not work.  Did not have a restore point for Method 2...

http://support.microsoft.com/kb/931712

 

ComboFix log

ComboFix 13-06-15.01 - Administrator 06/16/2013  13:30:51.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1480 [GMT -5:00]
Running from: c:\utility\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-16 to 2013-06-16  )))))))))))))))))))))))))))))))
.
.
2013-06-16 18:34 . 2013-06-16 18:34	--------	d-----w-	c:\users\Techpro\AppData\Local\temp
2013-06-16 18:34 . 2013-06-16 18:34	--------	d-----w-	c:\users\nsss\AppData\Local\temp
2013-06-16 18:34 . 2013-06-16 18:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-06-16 18:34 . 2013-06-16 18:34	--------	d-----w-	c:\users\Default.old\AppData\Local\temp
2013-06-16 18:34 . 2013-06-16 18:34	--------	d-----w-	c:\users\czelby\AppData\Local\temp
2013-06-16 16:50 . 2013-06-16 16:51	109744	----a-w-	c:\windows\system32\drivers\SYMEVENT.SYS
2013-06-16 16:50 . 2013-06-16 16:50	--------	d-----w-	c:\program files\Symantec AntiVirus
2013-06-16 16:34 . 2013-06-16 16:34	--------	d-----w-	C:\$WINDOWS.~LS
2013-06-16 16:34 . 2013-06-16 16:41	--------	d-----w-	C:\$UPGRADE.~OS
2013-06-16 16:33 . 2013-06-16 16:33	--------	d-----w-	C:\$WINDOWS.~BT
2013-06-16 12:15 . 2013-06-16 12:15	--------	d-----w-	c:\users\Administrator\AppData\Local\Google
2013-06-14 20:34 . 2013-06-14 20:34	--------	d-----w-	c:\users\Techpro\AppData\Local\Intuit
2013-06-14 20:34 . 2013-06-14 20:34	--------	d-----w-	c:\users\Techpro\AppData\Roaming\Apple Computer
2013-06-13 22:27 . 2013-06-13 22:27	--------	d-----w-	c:\users\BC
2013-06-13 21:24 . 2013-06-13 21:24	--------	d-----w-	c:\users\Administrator\AppData\Local\Microsoft Corporation
2013-06-13 21:24 . 2013-06-13 21:24	--------	d-----w-	c:\program files\Microsoft Windows 7 Upgrade Advisor
2013-06-10 20:14 . 2013-06-10 20:14	--------	d-----w-	c:\windows\CheckSur
2013-06-10 20:08 . 2013-06-10 20:08	--------	d-----w-	c:\program files\Common Files\Java
2013-06-10 20:05 . 2013-06-10 20:05	866720	----a-w-	c:\windows\system32\npDeployJava1.dll
2013-06-10 20:05 . 2013-06-10 20:05	94112	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2013-06-10 19:58 . 2013-06-10 19:58	--------	d-----w-	c:\programdata\McAfee
2013-06-10 19:40 . 2013-06-10 19:57	2306	----a-w-	C:\FixitRegBackup.reg
2013-06-10 19:08 . 2013-06-10 19:08	--------	d-----w-	c:\program files\CCleaner
2013-06-10 18:28 . 2013-06-10 18:28	--------	d-----w-	c:\users\czelby\AppData\Roaming\Malwarebytes
2013-06-07 20:39 . 2013-06-07 20:39	--------	d-----w-	C:\MATS
2013-06-07 17:00 . 2013-06-07 17:01	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2013-06-07 17:00 . 2013-04-04 19:50	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-06-07 17:00 . 2013-06-07 17:00	--------	d-----w-	c:\users\Administrator\AppData\Local\Programs
2013-06-07 16:50 . 2013-06-07 16:50	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Malwarebytes
2013-06-07 16:50 . 2013-06-07 16:50	--------	d-----w-	c:\programdata\Malwarebytes
2013-06-07 16:44 . 2013-06-07 16:44	--------	d-----w-	c:\users\Administrator\AppData\Local\Intuit
2013-06-07 16:44 . 2013-06-07 16:44	--------	d-----w-	c:\users\Administrator\AppData\Local\Symantec
2013-06-07 16:44 . 2013-06-07 16:44	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Apple Computer
2013-06-07 16:21 . 2013-06-07 16:21	--------	d-----w-	c:\users\czelby\AppData\Local\Symantec
2013-06-07 16:00 . 2013-06-16 16:51	--------	d-----w-	c:\program files\Symantec
2013-06-07 15:59 . 2013-06-16 16:51	--------	d-----w-	c:\programdata\Symantec
2013-06-07 15:59 . 2013-06-16 16:51	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2013-06-07 15:55 . 2013-06-07 15:55	--------	d-----w-	c:\users\administrator.ZELBY
2013-06-07 15:51 . 2013-06-07 15:51	--------	d-----w-	c:\users\lsuma
2013-05-23 22:13 . 2013-05-30 22:54	--------	d-----w-	c:\users\czelby\AppData\Roaming\HpUpdate
2013-05-23 22:13 . 2012-10-17 09:04	580712	------w-	c:\windows\system32\HPDiscoPM5912.dll
2013-05-23 22:07 . 2013-05-23 22:24	--------	d-----w-	c:\users\czelby\AppData\Local\HP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-11 19:44 . 2012-04-10 15:42	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-06-11 19:44 . 2012-01-28 23:04	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-10 20:05 . 2012-01-28 23:12	788896	----a-w-	c:\windows\system32\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
.
c:\users\Techpro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]
.
c:\users\administrator.ZELBY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]
.
c:\users\BC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]
.
c:\users\lsuma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
backup=c:\windows\pss\Intuit Data Protect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
backup=c:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Smart Settings.lnk]
path=c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
backup=c:\windows\pss\Smart Settings.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2011-07-20 23:09	505720	----a-w-	c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 20:13	59280	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2011-01-15 19:00	5955072	----a-w-	c:\program files\Dell\DW WLAN Card\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DFEPApplication]
2011-08-24 22:15	6306712	----a-w-	c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeFallProtection]
2011-07-25 15:43	686704	----a-w-	c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSS]
2011-08-09 03:45	112408	----a-w-	c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2013-03-11 15:23	2778424	----a-w-	c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 12:32	253816	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2011-01-25 09:57	536668	----a-w-	c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 mkxizkwb;mkxizkwb;c:\windows\system32\drivers\mkxizkwb.sys [x]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-19 8192]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 132480]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-20 126464]
R3 NisSrv;NisSrv; [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7.sys [2011-01-04 60904]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-20 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-02-06 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [2011-08-24 1568664]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 112800]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2013-03-11 1248256]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-07-22 44144]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-02-01 33832]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-20 41088]
S3 nskbfltr;nskbfltr;c:\windows\system32\drivers\nskbfltr.sys [2007-07-10 20512]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
S3 PaniniUSB;PaniniUSB;c:\windows\system32\DRIVERS\PaniniUSB.sys [2012-11-05 202880]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILDRV11220
*NewlyCreated* - NAVENG
*NewlyCreated* - NAVEX15
*NewlyCreated* - SPBBCDRV
*NewlyCreated* - SRTSP
*NewlyCreated* - SRTSPX
*NewlyCreated* - SYMEVENT
*NewlyCreated* - SYMREDRV
*NewlyCreated* - WS2IFSL
*Deregistered* - EraserUtilDrv11220
*Deregistered* - SYMREDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-05 21:23	1165776	----a-w-	c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 19:44]
.
2013-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-22 16:10]
.
2013-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-22 16:10]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - c:\program files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1551315410-1286934956-2625887904-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,c8,
   04,9b,b8,ed,0a,bd,9c,b8,17,8d,6f,f0,d9
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,3b,1b,ab,88,03,
   6a,c6,86,42,0e,ae,e1,96,9a,f0,98,60,59
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,b7,e4,
   a8,17,5e,37,01,a2,28,00,f3,01,cf,4f,e5
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1f,df,
   c7,73,f4,35,0b,a4,7e,de,65,c0,84,c5,b3
.
[HKEY_USERS\S-1-5-21-1551315410-1286934956-2625887904-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:4e,58,9e,e4,14,e5,cc,01
.
[HKEY_USERS\S-1-5-21-1551315410-1286934956-2625887904-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,f8,c9,88,69,a7,07,4a,a0,c0,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ee,f5,03,7c,0f,dc,69,45,88,e1,7d,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'csrss.exe'(504)
c:\program files\NetSupport\NetSupport Manager\pcihooks.dll
.
Completion time: 2013-06-16  13:36:01
ComboFix-quarantined-files.txt  2013-06-16 18:36
ComboFix2.txt  2013-06-16 16:26
.
Pre-Run: 175,498,104,832 bytes free
Post-Run: 175,432,990,720 bytes free
.
- - End Of File - - EB3E9F18827564E9435319A967FCA913
5C616939100B85E558DA92B899A0FC36



#14 SysTech Guy

SysTech Guy
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 June 2013 - 02:15 PM

Just i case I shot myself in the foot when I removed MSSE key...i imported from a backup registry I made BEFORE i removed MSSE keys.  I verified by doing a search for "Anitmalware" which I did find after import.  I did another Rkilll run...This is what it found.  Still having same issue with Windows updates and viewing windows features.

Rkill 2.5.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/16/2013 02:10:38 PM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * c:\Windows\system32\srvany.exe (PID: 2304) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity: 

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  127.0.0.1       localhost

Program finished at: 06/16/2013 02:11:29 PM
Execution time: 0 hours(s), 0 minute(s), and 50 seconds(s)




#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 16 June 2013 - 03:11 PM

Looks like combofix took care of the junctions for us. :)

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users