Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Security Essentials - Error Code 080073b01


  • This topic is locked This topic is locked
49 replies to this topic

#1 jaws239

jaws239

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 27 November 2013 - 03:14 PM

"An error has occurred in the program during initialization.  If this problem continues, please contact your system administrator.

Error code: 0x80073b01"

(note: I AM the administrator)

 

[Obviously, I'm not a computer tech, but I do know how to do a few things on it!  Computer logs may as well be written in a foreign language, because I don't understand them. BUT, I WILL "pay attention and follow instructions" if someone has time to assist me!]

 

I've been reading some of the instructions, but most seem to boil down to (MY words, not yours!): don't make the problem worse by trying to fix what you know little/nothing about!  ... so I haven't.

 

Computer info:

HP Pavilion notebook

Windows Vista 64-bit

Google Chrome browser.  (Until 1-2 yrs ago, I had been using IE, but it kept freezing up on me, so switched to Google.)

(I HAD been using BitDefender, until a couple years ago when they release a BAD update and crashed my system.  With their limited help, I got most of it working again, BUT they said to get FULL working back, I needed to re-format.  I'm NOT comfortable doing that, so I've been dealing with it.  The HP systems that I KNOW don't work are: HP Support Assistant and Media Smart.)

I stopped using BitDefender and went to Microsoft Security Essentials.

 

About 11/4/2013, I can't recall what wasn't working but, from a Microsoft online scan, found out I had:

Trojan: Win32/Sirefef.AB

             Win64/Sirefef.P

I downloaded the 32- and 64-bit removal tools, double-checked my system and used the 64-bit tool.  After following the instructions on it, everything seemed fine.  I re-scanned using the Microsoft online scan.  It reported my machine was "clean."  Then I did a full scan using MS Essentials.  It listed several "Sirefef" files in Quarantine.  I didn't know how to remove them and thought they'd been "contained" and I was safe again.

(I'm not on my computer daily, but everytime I get on it, my first action is to open MS Essentials and do an update, then a full scan.)

Earlier this week, I got on computer and noticed my MS Essentials icon wasn't showing in the tray down by the clock.  I tried to open it through the "start" button.  Each time, I'd get the above message.

I noticed one person posting here instructing someone to right-click and try to open MS Essentials.  I tried that, and got the same error message.

 

If someone has time to try to walk me through this, I, would appreciate it!  I'm in the US, and tomorrow is Thanksgiving (a day that traditionally means meals and family), so I'll check back this afternoon and again Saturday, 11/30/13. I'll also try to check on Sunday, 12/1/13.

 

Thanks in advance!  If you need more info to assist, please let me know!

 

PER Toffee's instructions, I started with Step 6 of the Malware Rmoval and Log Section Preparation Guide.  The DDS.txt is copied below.  The attach.txt is attached.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16520  BrowserJavaVersion: 10.45.2
Run by jaws at 13:34:14 on 2013-11-27
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3998.1258 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.87\ccSvcHst.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.87\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\jaws\AppData\Local\DownBook\DownBook.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\Hp\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\QuickTime\QTTask.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Users\jaws\AppData\Local\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\jaws\AppData\Local\Google\Update\1.3.21.165\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.87\SymcPCCULaunchSvc.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\jaws\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\jaws\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [DownBook] "C:\Users\jaws\AppData\Local\DownBook\DownBook.exe" 112981f53b5260810bfb4d3660b803ba 7
uRun: [Google Update] "C:\Users\jaws\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe"  /autorun
mRun: [HPPQVideo] "C:\Program Files (x86)\HP\ScheduledLaunch\HP LaserJet P2050 Series\bin\hppschlnch.exe" -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\LJ_P2050_Series -f PQOptimizerVideo.xml -o RemindLater
mRun: [ToolBoxFX] "C:\Program Files (x86)\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\jaws\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\KODAKE~1.LNK - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\KODAKS~1.LNK - C:\Program Files (x86)\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxps://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{2E48CE55-2E0E-4915-8E33-DA4DCF96C328} : DHCPNameServer = 192.168.1.254
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
x64-mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [SmartMenu] C:\Program Files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
x64-RunOnce: [NCPluginUpdater] "c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2008-3-18 30520]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 134944]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.87\SymcPCCULaunchSvc.exe [2011-10-14 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.15.87\ccSvcHst.exe [2011-10-14 126392]
R2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-1-13 365952]
R2 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2009-2-9 296320]
R2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2009-2-9 116096]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-1-13 222512]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2010-3-25 64000]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2010-3-25 126464]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S1 draupvxf;draupvxf;C:\Windows\System32\drivers\draupvxf.sys [2013-11-23 56616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DIFMBUS;Franklin EVDO USB Modem Composite Device Driver;C:\Windows\System32\drivers\DIFMBUS.sys [2010-5-21 69848]
S3 DIFMCVsp;Franklin EVDO USB Modem CM Port;C:\Windows\System32\drivers\DIFMCVsp.sys [2010-5-21 177368]
S3 DIFMMdm;Franklin EVDO USB Modem;C:\Windows\System32\drivers\DIFMMdm.sys [2010-5-21 177368]
S3 DIFMNET;Franklin EVDO USB Modem Network Adapter;C:\Windows\System32\drivers\DIFMNET.sys [2010-5-21 132696]
S3 DIFMNVsp;Franklin EVDO USB Modem NMEA Port Serial Port;C:\Windows\System32\drivers\DIFMNVsp.sys [2010-5-21 177368]
S3 DIFMVsp;Franklin EVDO USB Modem Diagnostics Port;C:\Windows\System32\drivers\DIFMVsp.sys [2010-5-21 177368]
S3 MatSvc;Microsoft Automated Troubleshooting Service;C:\Program Files\Microsoft Fix it Center\Matsvc.exe [2011-6-13 343856]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [2013-9-6 288776]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2013-7-20 1022632]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2006-11-2 273408]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-11-24 01:52:42 56616 ----a-w- C:\Windows\System32\drivers\draupvxf.sys
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-14 09:01:33 82896128 ----a-w- C:\Windows\System32\mrt.exe
2013-10-28 18:02:58 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-28 18:02:55 264616 ----a-w- C:\Windows\SysWow64\javaws.exe
2013-10-28 18:02:55 175016 ----a-w- C:\Windows\SysWow64\javaw.exe
2013-10-28 18:02:54 174504 ----a-w- C:\Windows\SysWow64\java.exe
2013-10-13 15:58:41 17847296 ----a-w- C:\Windows\System32\mshtml.dll
2013-10-13 15:09:57 10926080 ----a-w- C:\Windows\System32\ieframe.dll
2013-10-13 14:55:42 2334720 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-13 14:48:43 1346560 ----a-w- C:\Windows\System32\urlmon.dll
2013-10-13 14:47:43 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-10-13 14:46:53 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-10-13 14:46:27 237056 ----a-w- C:\Windows\System32\url.dll
2013-10-13 14:44:28 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2013-10-13 14:42:38 816640 ----a-w- C:\Windows\System32\jscript.dll
2013-10-13 14:42:36 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-10-13 14:42:11 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-10-13 14:39:50 2147840 ----a-w- C:\Windows\System32\iertutil.dll
2013-10-13 14:38:57 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2013-10-13 14:36:11 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2013-10-13 14:35:12 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-10-13 14:29:31 248320 ----a-w- C:\Windows\System32\ieui.dll
2013-10-13 10:42:12 12344832 ----a-w- C:\Windows\SysWow64\mshtml.dll
2013-10-13 10:08:04 9739264 ----a-w- C:\Windows\SysWow64\ieframe.dll
2013-10-13 09:48:06 1806848 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-13 09:37:03 1104896 ----a-w- C:\Windows\SysWow64\urlmon.dll
2013-10-13 09:35:52 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-10-13 09:35:38 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-13 09:33:57 231936 ----a-w- C:\Windows\SysWow64\url.dll
2013-10-13 09:32:00 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2013-10-13 09:30:20 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2013-10-13 09:30:14 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-10-13 09:29:02 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-10-13 09:27:43 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2013-10-13 09:27:40 1796096 ----a-w- C:\Windows\SysWow64\iertutil.dll
2013-10-13 09:26:08 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2013-10-13 09:25:39 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-10-13 09:20:51 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2013-10-11 04:23:42 462848 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-11 04:23:21 781824 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-11 02:07:57 596480 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-03 15:03:41 389632 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 15:02:58 1278976 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-03 12:46:36 304128 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-10-03 12:45:45 993792 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-09-27 15:53:06 248240 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-09-27 15:53:06 134944 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-09-04 02:31:51 404992 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 13:34:50.57 ===============
 

 

Thank you!

jaws239

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 PM

Posted 02 December 2013 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 02 December 2013 - 10:59 AM

Good morning, Nasdaq!

  I just got online and printed the info.  I have a feeling it's going to take a while to get all these procedures done, but I'll let you know when I complete it!  

Thank you!



#4 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 02 December 2013 - 11:47 AM

What I have so far...then a couple of questions.

By the way, the RogueKiller and AdwCleaner did NOT give me the option to save the programs on my Desktop before I had to start using them, but I'm guessing that's okay. I hope so!

 

Reports so far:

RogueKiller gave me two.  Neither had the [1] in the name.

1st report:

RogueKiller V8.7.9 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : jaws [Admin rights]
Mode : Scan -- Date : 12/02/2013 10:05:14
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] DownBook.exe -- C:\Users\jaws\AppData\Local\DownBook\DownBook.exe [-] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : DownBook ("C:\Users\jaws\AppData\Local\DownBook\DownBook.exe" 112981f53b5260810bfb4d3660b803ba 7 [-][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3656667226-3558794368-2189601730-1000\[...]\Run : DownBook ("C:\Users\jaws\AppData\Local\DownBook\DownBook.exe" 112981f53b5260810bfb4d3660b803ba 7 [-][x]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][Folder] plugs : C:\Users\jaws\AppData\Roaming\Adobe\plugs [-] --> FOUND
[Tr.Karagany][Folder] shed : C:\Users\jaws\AppData\Roaming\Adobe\shed [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\jaws\AppData\Local\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files (x86)\Google\Desktop\Install [-] --> FOUND
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9320325AS ATA Device +++++
--- User ---
[MBR] eec2043407d90a376ec417358f19bc69
[BSP] c6d68ba16ed0aefccc81f2edc02dc5bf : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 291893 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 597798912 | Size: 13348 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_12022013_100514.txt >>
 
 
 
 
2nd report:
RogueKiller V8.7.9 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : jaws [Admin rights]
Mode : Remove -- Date : 12/02/2013 10:07:33
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] DownBook.exe -- C:\Users\jaws\AppData\Local\DownBook\DownBook.exe [-] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : DownBook ("C:\Users\jaws\AppData\Local\DownBook\DownBook.exe" 112981f53b5260810bfb4d3660b803ba 7 [-][x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-3656667226-3558794368-2189601730-1000\[...]\Run : DownBook ("C:\Users\jaws\AppData\Local\DownBook\DownBook.exe" 112981f53b5260810bfb4d3660b803ba 7 [-][x]) -> [0x2] The system cannot find the file specified. 
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][Folder] plugs : C:\Users\jaws\AppData\Roaming\Adobe\plugs [-] --> DELETED
[Tr.Karagany][Folder] shed : C:\Users\jaws\AppData\Roaming\Adobe\shed [-] --> DELETED
[ZeroAccess][Folder] Install : C:\Users\jaws\AppData\Local\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][Folder] Install : C:\Program Files (x86)\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][File] GoogleUpdate.exe : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?��\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\GoogleUpdate.exe [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?��\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?��\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> DELETED
[ZeroAccess][Folder] {ff24043d-55f8-5ce9-a20a-8337d9b4b888} : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?��\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} [-] --> DELETED
[ZeroAccess][Folder] ???ﯹ๛ : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?��\???ﯹ๛ [-] --> DELETED
[ZeroAccess][Folder] ?��?��?�� : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?��\?��?��?�� [-] --> DELETED
[ZeroAccess][Folder] ?��?��?�� : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\?��?��?�� [-] --> DELETED
[ZeroAccess][Folder] {ff24043d-55f8-5ce9-a20a-8337d9b4b888} : C:\Users\jaws\AppData\Local\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} [-] --> DELETED
[ZeroAccess][Folder] L : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \...\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \...\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U [-] --> DELETED
[ZeroAccess][Folder] {ff24043d-55f8-5ce9-a20a-8337d9b4b888} : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \...\???ﯹ๛\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} [-] --> DELETED
[ZeroAccess][Folder] ???ﯹ๛ : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \...\???ﯹ๛ [-] --> DELETED
[ZeroAccess][Folder] ... : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\   \... [-] --> DELETED
[ZeroAccess][Folder]     : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\    [-] --> DELETED
[ZeroAccess][Folder] {ff24043d-55f8-5ce9-a20a-8337d9b4b888} : C:\Program Files (x86)\Google\Desktop\Install\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} [-] --> DELETED
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9320325AS ATA Device +++++
--- User ---
[MBR] eec2043407d90a376ec417358f19bc69
[BSP] c6d68ba16ed0aefccc81f2edc02dc5bf : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 291893 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 597798912 | Size: 13348 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_12022013_100733.txt >>
RKreport[0]_S_12022013_100514.txt
 
 
 
 
ADWARE:
okay.  I admit I have no idea of 90% the programs on my computer and what's important and what isn't.  So, I have NO idea if I want to save ANY of the things listed on the initial report, or if I want to delete(Clean) all of them.  
I know it's extra work, but before I delete/clean something important, I'd rather list the initial report and let you tell me. It seems to have several Microsoft file updates included.
Here it is
# AdwCleaner v3.014 - Report created 02/12/2013 at 10:14:54
# Updated 01/12/2013 by Xplode
# Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# Username : jaws - JAWS-PC
# Running from : C:\Users\jaws\Downloads\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Found C:\ProgramData\Babylon
Folder Found C:\Users\jaws\AppData\Local\Babylon
Folder Found C:\Users\jaws\AppData\Local\DownBook
Folder Found C:\Users\jaws\AppData\Local\WideSearch
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16520
 
 
-\\ Google Chrome v
 
[ File : C:\Users\jaws\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Found : homepage
Found : urls_to_restore_on_startup
Found : urls_to_restore_on_startup
 
*************************
 
AdwCleaner[R0].txt - [3475 octets] - [02/12/2013 10:14:54]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3535 octets] ##########
 
 
I'm sorry to be so ignorant, but I don't want to cause myself more problems deleting something that's important out of my ignorance!
Thanks!


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 PM

Posted 02 December 2013 - 02:42 PM

Unless you want to keep the eBay.lnk remove everything else.

#6 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 02 December 2013 - 02:54 PM

Thanks!



#7 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 02 December 2013 - 04:31 PM

Here's the JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows ™ Vista Home Premium x64
Ran by jaws on Mon 12/02/2013 at 14:04:19.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{682A7A5C-953E-4F46-BE75-B46823CC9E8B}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F866DC5B-A053-40B9-BCDE-375ED3441201}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{F866DC5B-A053-40B9-BCDE-375ED3441201}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/02/2013 at 14:11:15.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
Fixing to download and do the ComboFix procedure!


#8 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 02 December 2013 - 05:20 PM

HELP! I can't disable MSE.  I tried right-click, open, but it still comes up with the 

"An error has occurred in the program during initialization.  If this problem continues, please contact your system administrator.

Error code: 0x80073b01"

 

Any other options to disable it?

When I go to Control Panel, Security, Malware, it says MS is working as virus protection and as Spyware and other malware protection.

When I click on the "Show me the antispy programs on this computer" it shows Windows Defender (Off) and MS ON.  I don't know how else to turn off MSE...and, apparently ComboFix won't finish doing it's procedures until MSE is turned off.

??

Thanks!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 PM

Posted 03 December 2013 - 08:40 AM


There could still be some malware in the computer. Lets check the MASTER BOOT RECORD.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#10 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 03 December 2013 - 09:54 AM

I realize I forgot to tell you an important detail in my preior post ... prior to trying to run ComboFix, I saw that Security said MSE was still running, but thought it was lying to me, trying to trick me.  So I tried running the ComboFix, which (as I remember) went through the box where it was backing up the Windows Registry (per the picture in the "How to Use CombFix"). 

Then it came up with the box telling me that MSE was still running.

"Warning:

antivirus: MSE

antispyware: MSE

The above real time scanner(s) are still active but ComboFix shall continue to run.  Kindly note that this is at your own risk.

OK"

 

My SINCERE apologies for not making this clear yesterday.  My only excuse is that my brain was getting tired by then.

 

I still have that Warning box up, as I didn't know what to do.  I did NOT click "ok" because I didn't know what my "risk" was if I did.

I also don't know how to stop the ComboFix program, if that's what should be done before downloading and using the TDSSKiller.

 

Again, my apologies.  I'm going to let you see this post and advise me before I download TDSSKiller or do anything else.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 PM

Posted 03 December 2013 - 11:39 AM

Click the OK button on the ComboFix message.
MSE should not interfere.

If it does, Open your Task Manager (CTRL+ALT+DEL) KEYS and stop the process.
===

Post the Combofix log.

I will let you know if you need to run the TDSSKiller tool after my review.

#12 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 03 December 2013 - 11:41 AM

Will do! Thanks!



#13 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 03 December 2013 - 11:53 AM

Hmmm. Not sure what happened, but after I clicked "OK" on the ComboFix Warning, another box came up and said:

"You cannot rename ComboFix as ComboFix(1).

Please use another name, preferably made up of alphanumeric characters."

 

???  I don't see anything with "ComboFix" on my desktop.

I did Start, Search box: ComboFix ... only combofix.exe came up.   Tried ".txt"... didn't see anything that looked like ComboFix.

 

I tried Ctrl+Alt+Delete and it took me to screen saying:

Lock Computer

Switch User

Log off

Change password

Start Task Manager

Cancel ... I chose "Cancel"

 

I don't know what happened to ComboFix trying to run, and I didn't try to rename any file, regardless of what the box said.

 

Suggestions??



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 PM

Posted 03 December 2013 - 02:12 PM

Download ComboFix from any of the links below but rename it to jaws239 before saving it to your desktop. <- Important.

Link 1
Link 2

Now you should have the ComboFix logo on the Desktop.
Run it as an Administrator.

Post the log.

#15 jaws239

jaws239
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 03 December 2013 - 02:39 PM

I'm confused.

 

1st confusion

If I understand, you realize

--I still can't turn off MSE.  

--That I haven't done the TDSSKiller program

--But you want me to download ComboFix again, and run it now ... right?

 

[Just fyi, when I looked in Task Manager, the only application running is the MSE Error Code.]

 

 

2nd confusion

None of the programs you've had me download even give me the option to save to Desktop, much less re-name.  They've all just opened with the "Run" box.  (I used Link1 for ComboFix previously.  Maybe Link2 will allow me to rename and save.)

 

Again, I'm going to wait until you see this before I re-download ComboFix  and try running it again (apparently with MSE still running?).  I don't mean to be a "PITA," but just want to verify.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users