Solved Embarrassed to have several virus infections

John Gr · Aug 7, 2012

Wow. I've had computers for 22+ years now and I've been incredibly safe. I've helped my inlaws remove several viruses but this is my first virus situation for me -- and it seems to be a doozy.

Last night, I noticed my computer playing strange sounds last night (nothing on screen), then I noticed Windows Update was off, Firewall was off, and MSE was uninstalled (no service). Anyway, I reinstalled MSE and found the following:

Vista x64 on Dell Studio Slim Desktop.

BlacoleRef.W
FakePAV
Sifeld.A
Sirefef.Y
Sirefef.W
Sirefef.AB

I'm actually in the middle of a migration to Win7 on the same box (W7 is located on a separate physical SSD drive -- not sure this matters, but I figured I'd mention it)

Help!! (and thanks in advance. I've read a few other threads and you all seem to be doing amazing work here)

John G

John Gr · Aug 7, 2012

I'll post logs from the '5 steps' as soon as I get home today.

Jay Pfoutz · Aug 7, 2012

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to the disclaimer.
Place a check next to List Drivers MD5 as well as the default check marks that are already there
Press Scan button.
type exit and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

John Gr · Aug 7, 2012

Here you are. I assume from the instructions that I do not need to report the outputs from the '5 steps'? Here is the output from frst64.exe....

Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
Ran by SYSTEM at 07-08-2012 21:24:23
Running from K:\
Windows Vista (TM) Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [PMX Daemon] ICO.EXE [x]
HKLM\...\Run: [LogMeIn GUI] "P:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [x]
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [AgentMonitor] "C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe" [357800 2011-12-12] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\John\...\Run: [GoodSync] "p:\Program Files\Siber Systems\GoodSync\GoodSync.exe" /min [x]
HKU\John\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\John\...\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-01-07] (Google Inc.)
HKU\John\...\Run: [chromium] C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1229848 2012-07-30] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 71.243.0.12 68.237.161.12 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe (No File)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
ShortcutTarget: Conversion to PDF with ScanSnap Organizer.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Windows Home Server.lnk
ShortcutTarget: Windows Home Server.lnk -> C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe (Microsoft Corporation)
Startup: C:\Users\John\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

4 AcronisOSSReinstallSvc; "C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2217416 2007-02-26] ()
4 AcrSch2Svc; "C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe" [571424 2007-04-19] (Acronis)
2 AERTFilters; C:\Windows\System32\AERTSr64.exe [86016 2008-07-18] (Andrea Electronics Corporation)
2 arXfrSvc; "C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe" [231280 2011-01-10] (Microsoft Corporation)
2 esClient; "C:\Program Files\Windows Home Server\esClient.exe" [109936 2011-01-10] (Microsoft Corporation)
2 HPMSSConnectorSvc; "C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe" [20992 2009-10-05] (HP)
4 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [160272 2008-05-01] (Logitech, Inc.)
4 LoClntService; "C:\Program Files\Windows Home Server\LightsOutClientService.exe" [49152 2010-11-14] (AxoNet Software GmbH)
2 MediaCollectorService; "C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe" [81920 2009-10-05] (Hewlett-Packard Company)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NovacomD; C:\Program Files\Palm, Inc\novacom\amd64\novacomd.exe [71168 2011-03-15] (Palm)
4 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
2 TivoBeacon2; "C:\Program Files (x86)\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [868864 2008-07-09] (TiVo Inc.)
2 vmware-converter-agent; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-agent.xml" [6285 2012-01-31] ()
2 vmware-converter-server; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-server.xml" [4291 2012-01-31] ()
2 vmware-converter-worker; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-worker.xml" [6897 2012-01-31] ()
2 WHSConnector; "C:\Program Files\Windows Home Server\WHSConnector.exe" [489840 2011-01-10] (Microsoft Corporation)
4 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe [1889792 2007-08-07] (Dell Inc.)
2 APC UPS Service; C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe [x]
2 GsServer; C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe /service [x]
3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [x]
2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [x]
2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [x]
2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [x]
2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [x]
2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [x]
4 PD91Agent; "C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [x]
4 PD91Engine; "C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [x]
2 SessionLauncher; C:\Users\John\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [x]

========================== Drivers (Whitelisted) =============

3 bmdrvr; C:\Windows\SysWow64\Drivers\bmdrvr.sys [74352 2011-03-14] (VMware, Inc.)
1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [340880 2011-09-02] (EldoS Corporation)
3 libusb0; C:\Windows\System32\Drivers\libusb0.sys [43456 2011-09-22] (http://libusb-win32.sourceforge.net)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2008-07-24] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2008-07-24] (LogMeIn, Inc.)
3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-04-30] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-04-30] ()
3 mr7910; C:\Windows\System32\Drivers\mr7910.sys [55808 2007-03-16] (Mars Semiconductor Corp.)
3 pmxmouse; C:\Windows\System32\Drivers\pmxmouse.sys [22016 2007-06-01] (Primax Electronics Ltd.)
3 pmxusblf; C:\Windows\System32\Drivers\pmxusblf.sys [24384 2007-05-24] (Primax Electronics Ltd.)
3 radpms; C:\Windows\System32\Drivers\radpms.sys [14944 2010-12-15] (LogMeIn, Inc.)
2 RtNdPt60; C:\Windows\System32\Drivers\RtNdPt60.sys [26624 2008-07-21] (Windows (R) Codename Longhorn DDK provider)
0 Si3531; C:\Windows\System32\Drivers\Si3531.sys [333864 2009-02-09] (Silicon Image, Inc)
0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [22568 2009-02-09] (Silicon Image, Inc.)
0 SiRemFil; C:\Windows\System32\Drivers\SiRemFil.sys [16936 2009-02-09] (Silicon Image, Inc.)
0 snapman; C:\Windows\System32\Drivers\snapman.sys [276064 2011-05-04] (Acronis)
3 ViaUsbModemDriver; C:\Windows\System32\DRIVERS\VIA_USB_MODEM.sys [28160 2011-10-04] ()
3 VIA_USB_ETS; C:\Windows\System32\Drivers\VIA_USB_ETS.sys [21760 2011-10-04] (Via Telecom, Inc.)
2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; \??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [146928 2009-04-02] (CyberLink Corp.)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH6.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 iynwbebw; \??\C:\Windows\system32\drivers\iynwbebw.sys [x]
1 lcayddei; \??\C:\Windows\system32\drivers\lcayddei.sys [x]
2 LMIInfo; \??\P:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]
4 LMIRfsClientNP; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-07 21:24 - 2012-08-07 21:24 - 00000000 ____D C:\FRST
2012-08-06 19:02 - 2012-08-06 19:02 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Users\John\AppData\Roaming\Malwarebytes
2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-06 19:02 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-06 18:44 - 2012-08-06 18:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-06 18:44 - 2012-08-06 18:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

============ 3 Months Modified Files ========================

2012-08-07 17:15 - 2009-06-18 05:37 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-08-07 17:15 - 2006-11-02 07:42 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-07 17:15 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-07 17:15 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-07 17:15 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-07 17:02 - 2012-04-11 19:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-07 16:56 - 2010-01-07 19:47 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000UA.job
2012-08-07 16:56 - 2010-01-07 19:47 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000Core.job
2012-08-07 16:45 - 2006-11-02 04:46 - 00710782 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-07 16:44 - 2008-11-04 07:00 - 01917853 ____A C:\Windows\WindowsUpdate.log
2012-08-07 16:38 - 2012-01-27 19:46 - 00023728 ____A C:\Windows\PFRO.log
2012-08-07 16:38 - 2011-10-06 08:16 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-07 16:38 - 2008-11-07 08:56 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-08-07 16:38 - 2008-11-04 12:14 - 00000288 ____A C:\Windows\Tasks\RtlNICDiagVistaStart.job
2012-08-07 16:33 - 2012-01-27 19:41 - 00020339 ____A C:\Windows\setupact.log
2012-08-07 15:34 - 2011-10-06 08:16 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-06 19:02 - 2012-08-06 19:02 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-06 18:44 - 2011-02-06 13:11 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-06 18:44 - 2009-06-03 12:09 - 00725630 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-02 11:02 - 2012-04-11 19:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-02 11:02 - 2011-06-18 06:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-29 06:41 - 2008-11-07 10:01 - 00074240 ____A C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-12 11:53 - 2008-11-11 18:59 - 00087488 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-12 11:53 - 2008-11-11 18:59 - 00080800 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 11:53 - 2008-11-11 18:59 - 00034720 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-03 09:46 - 2012-08-06 19:02 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-01 18:59 - 2012-07-01 18:59 - 00000888 ____A C:\Users\Public\Desktop\GoodSync Explorer.lnk
2012-07-01 18:59 - 2012-07-01 18:59 - 00000878 ____A C:\Users\Public\Desktop\GoodSync.lnk
2012-06-13 23:27 - 2006-11-02 07:21 - 00456976 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 23:04 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-02 14:19 - 2012-06-19 00:14 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-19 00:14 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-19 00:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-19 00:14 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-19 00:14 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-19 00:14 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-19 00:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-19 00:14 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-19 00:14 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-19 00:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 11:19 - 2012-06-19 00:14 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:19 - 2012-06-19 00:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 11:15 - 2012-06-19 00:14 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:12 - 2012-06-19 00:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-26 06:57 - 2012-05-26 06:57 - 00000904 ____A C:\Users\Public\Desktop\Flixster Collections.lnk
2012-05-21 07:24 - 2008-11-11 18:59 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll.000.bak
2012-05-17 18:47 - 2012-06-13 23:08 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 23:08 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 23:08 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 23:08 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 23:08 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 23:08 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 23:08 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 23:08 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 23:08 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 23:08 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 23:08 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 23:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 23:08 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 23:08 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 23:08 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 23:08 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 23:08 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 23:08 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 23:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 23:08 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 23:08 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 23:08 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 23:08 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 23:08 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 23:08 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 23:08 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 23:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 23:08 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 12:15 - 2012-06-13 04:19 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

ZeroAccess:
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\@
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\L
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\U
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\U\00000001.@

ZeroAccess:
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\@
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\L
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\U

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 8191.18 MB
Available physical RAM: 7346.39 MB
Total Pagefile: 8189.33 MB
Available Pagefile: 7349.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:10.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Fixed) (Total:111.79 GB) (Free:67.11 GB) NTFS
3 Drive f: (Media_Local) (Fixed) (Total:1849.01 GB) (Free:141.93 GB) NTFS
4 Drive g: (Programs) (Fixed) (Total:34.18 GB) (Free:23.2 GB) NTFS
5 Drive h: (John_Active) (Fixed) (Total:78.12 GB) (Free:27.71 GB) NTFS
6 Drive I: (RECOVERY) (Fixed) (Total:15 GB) (Free:8 GB) NTFS
7 Drive j: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
8 Drive k: () (Removable) (Total:14.9 GB) (Free:14.89 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (Page_File2) (Fixed) (Total:14 GB) (Free:13.91 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 1863 GB 1024 KB
Disk 1 Online 111 GB 0 B
Disk 2 Online 698 GB 512 GB
Disk 3 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 31 KB
Partition 0 Extended 1849 GB 14 GB
Partition 2 Logical 1849 GB 14 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y Page_File2 NTFS Partition 14 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F Media_Local NTFS Partition 1849 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 111 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 62 MB 31 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 58 GB 15 GB
Partition 0 Extended 624 GB 73 GB
Partition 4 Logical 34 GB 73 GB
Partition 5 Logical 78 GB 107 GB

==================================================================================

Disk: 2
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 FAT Partition 62 MB Healthy Hidden

==================================================================================

Disk: 2
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 I RECOVERY NTFS Partition 15 GB Healthy

==================================================================================

Disk: 2
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 C OS NTFS Partition 58 GB Healthy

==================================================================================

Disk: 2
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 G Programs NTFS Partition 34 GB Healthy

==================================================================================

Disk: 2
Partition 5
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 H John_Active NTFS Partition 78 GB Healthy

==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

==================================================================================

Disk: 3
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 K FAT32 Removable 14 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-08-07 16:47

======================= End Of Log ==========================

Jay Pfoutz · Aug 8, 2012

Yeah, we'll work on the difficult infections here. It is so much easier with FRST, to defeat these infections with Sirefef/ZeroAccess.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}
1 iynwbebw; \??\C:\Windows\system32\drivers\iynwbebw.sys [x]
1 lcayddei; \??\C:\Windows\system32\drivers\lcayddei.sys [x]
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

John Gr · Aug 8, 2012

Here it is:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
Ran by SYSTEM at 2012-08-08 07:39:19 Run:1
Running from K:\

==============================================

C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962} moved successfully.
C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962} moved successfully.
iynwbebw service deleted successfully.
lcayddei service deleted successfully.

==== End of Fixlog ====

Jay Pfoutz · Aug 9, 2012

Reboot to Normal Mode....

Download RogueKiller and save it on your desktop.
Quit all programs
Start RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan

Wait for the end of the scan.
The report has been created on the desktop.
Click on the Delete button.

The report has been created on the desktop.

Next click on the ShortcutsFix
The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
It is important to rename ComboFix before the download.
Please do not rename ComboFix to other names, but only the one indicated.

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on svchost.exe & follow the prompts.
It will attempt to install the Recovery Console:

When ComboFix finishes, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

John Gr · Aug 9, 2012

First Rogue Killer reports

Report #1

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: Scan -- Date: 08/09/2012 07:49:18

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[SUSP PATH] [ON_U:John]HKCU[...]\Run : SkyDrive ("C:\Users\John\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD20EARS-00MVWB0 ATA Device +++++
--- User ---
[MBR] 10bf54fa478bf4dd64f0a9a2e505f98a
[BSP] 5adffb78211c9245ccca6b7913bffae9 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 14339 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 29366820 | Size: 1893387 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: MKNSSDCR120GB ATA Device +++++
--- User ---
[MBR] b74f92034419a9c590fc7413b9357169
[BSP] 44dffe2f3e8c8d0d08b4ee29a9094cbb : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: Hitachi HDS721075KLA330 ATA Device +++++
--- User ---
[MBR] 9b4a2189e4a0829c6d968f248975047a
[BSP] 346b64ba3606b9c23b53a66f6abcac30 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31599855 | Size: 59992 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 154466304 | Size: 639980 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: SAMSUNG HD204UI SCSI Disk Device +++++
--- User ---
[MBR] 9204206dc748ddec7e70c3e39ab051f1
[BSP] ba608aacb11e892794de693dd8132959 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Report #2

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: Remove -- Date: 08/09/2012 07:51:09

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\n.) -> REPLACED (c:\windows\system32\shell32.dll)
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[SUSP PATH] [ON_U:John]HKCU[...]\Run : SkyDrive ("C:\Users\John\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" /background) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD20EARS-00MVWB0 ATA Device +++++
--- User ---
[MBR] 10bf54fa478bf4dd64f0a9a2e505f98a
[BSP] 5adffb78211c9245ccca6b7913bffae9 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 14339 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 29366820 | Size: 1893387 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: MKNSSDCR120GB ATA Device +++++
--- User ---
[MBR] b74f92034419a9c590fc7413b9357169
[BSP] 44dffe2f3e8c8d0d08b4ee29a9094cbb : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: Hitachi HDS721075KLA330 ATA Device +++++
--- User ---
[MBR] 9b4a2189e4a0829c6d968f248975047a
[BSP] 346b64ba3606b9c23b53a66f6abcac30 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31599855 | Size: 59992 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 154466304 | Size: 639980 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: SAMSUNG HD204UI SCSI Disk Device +++++
--- User ---
[MBR] 9204206dc748ddec7e70c3e39ab051f1
[BSP] ba608aacb11e892794de693dd8132959 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] a124dc1f32b91ceacb765c7a5ad6ec2e
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Report #3

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: Shortcuts HJfix -- Date: 08/09/2012 07:57:33

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 4 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 6 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 3102 / Fail 0
My documents: Success 4 / Fail 0
My favorites: Success 2 / Fail 0
My pictures: Success 127 / Fail 0
My music: Success 4 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1617 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume7 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume10 -- 0x2 --> Restored
[J:] \Device\HarddiskVolume9 -- 0x3 --> Restored
[M:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[P:] \Device\HarddiskVolume8 -- 0x3 --> Restored
[Q:] \Device\LanmanRedirector\;Q:0000000000027ce9\SIERRANET-HP\Videos -- 0x4 --> Skipped
[S:] \Device\LanmanRedirector\;S:0000000000027ce9\SIERRANET-HP\Software -- 0x4 --> Skipped
[T:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[U:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[X:] \Device\LanmanRedirector\;X:0000000000027ce9\192.168.1.14\memory_card -- 0x4 --> Skipped
[Y:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[Z:] \Device\HarddiskVolume6 -- 0x3 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

John Gr · Aug 9, 2012

Now ComboFix Log

A few notes on the Combofix run. I suppose these would be in the log, but thought I'd also mention here:

I noticed on a few occasions in the window while watching it run that it said it did not have Admin rights to perform some function or another.... (Since it was not in the instructions, I had not it with 'run as Admin')
At some point, the computer rebooted. I assume it was after Combofix completed it's run, but I'm not 100% sure about that (from the log below, that seems to be the case... but since it wasn't noted, I wanted to be sure that was normal).

Log file:

ComboFix 12-08-08.03 - John 08/09/2012 8:14.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.4814 [GMT -4:00]
Running from: j:\a-my docs\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFR90F2.tmp
c:\program files (x86)\Common Files\Help
c:\program files (x86)\Common Files\Help\_updated.js
c:\program files (x86)\Common Files\Help\qnue.chm
c:\program files (x86)\Common Files\Help\qnue.lif
c:\program files (x86)\Common Files\Help\qnue.lt3
c:\program files (x86)\Common Files\Help\qnue.rul
c:\program files (x86)\Common Files\Help\quicken.chm
c:\program files (x86)\Common Files\Help\quicken.lif
c:\program files (x86)\Common Files\Help\Quicken.lt3
c:\program files (x86)\Common Files\Help\Quicken.rul
c:\program files (x86)\Common Files\Help\quickenProject.lt3
c:\program files (x86)\Common Files\Help\quickenProject.rul
c:\programdata\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
c:\programdata\tmp574A.tmp
c:\users\John\AppData\Roaming\inst.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-09 12:26 . 2012-08-09 12:32 -------- d-----w- c:\users\John\AppData\Local\temp
2012-08-09 12:26 . 2012-08-09 12:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 05:24 . 2012-08-08 05:24 -------- d-----w- C:\FRST
2012-08-07 03:02 . 2012-08-07 03:02 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2012-08-07 03:02 . 2012-08-07 03:02 -------- d-----w- c:\programdata\Malwarebytes
2012-08-07 03:02 . 2012-08-07 03:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-07 03:02 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-07 02:45 . 2012-02-09 18:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7D7A409E-578C-4A92-B933-B33827A8C382}\gapaengine.dll
2012-08-07 02:45 . 2012-07-16 06:40 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E305B96-7E68-4B73-83E2-56D1E6CD0D36}\mpengine.dll
2012-08-07 02:44 . 2012-08-07 02:44 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-07 02:44 . 2012-08-07 02:44 -------- d-----w- c:\program files\Microsoft Security Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 19:02 . 2012-04-12 03:15 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-02 19:02 . 2011-06-18 14:50 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 19:53 . 2008-11-12 02:59 87488 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 19:53 . 2008-11-12 02:59 34720 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 19:53 . 2008-11-12 02:59 80800 ----a-w- c:\windows\system32\LMIinit.dll
2012-06-14 07:04 . 2006-11-02 12:35 58957832 ----a-w- c:\windows\system32\mrt.exe
2012-06-02 22:19 . 2012-06-19 08:14 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 08:14 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 08:14 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 08:14 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 08:14 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 08:14 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 08:14 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-19 08:14 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 08:14 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-19 08:14 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-19 08:14 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-19 08:14 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-19 08:14 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-19 08:14 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-21 15:24 . 2008-11-12 02:59 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-18 02:47 . 2012-06-14 07:08 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-05-18 02:16 . 2012-06-14 07:08 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-05-18 02:06 . 2012-06-14 07:08 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-05-18 01:59 . 2012-06-14 07:08 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-05-18 01:59 . 2012-06-14 07:08 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-05-18 01:58 . 2012-06-14 07:08 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-18 01:58 . 2012-06-14 07:08 237056 ----a-w- c:\windows\system32\url.dll
2012-05-18 01:56 . 2012-06-14 07:08 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-18 01:55 . 2012-06-14 07:08 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-18 01:55 . 2012-06-14 07:08 818688 ----a-w- c:\windows\system32\jscript.dll
2012-05-18 01:54 . 2012-06-14 07:08 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-05-18 01:51 . 2012-06-14 07:08 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-05-18 01:51 . 2012-06-14 07:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-18 01:47 . 2012-06-14 07:08 248320 ----a-w- c:\windows\system32\ieui.dll
2012-05-17 22:45 . 2012-06-14 07:08 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-05-17 22:35 . 2012-06-14 07:08 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-17 22:35 . 2012-06-14 07:08 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-05-17 22:29 . 2012-06-14 07:08 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-05-17 22:24 . 2012-06-14 07:08 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-05-15 20:15 . 2012-06-13 12:19 2767360 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1EldosIconOverlay]
@="{8D4EFDB2-27FE-4C66-A65C-EECB7CFA18E7}"
[HKEY_CLASSES_ROOT\CLSID\{8D4EFDB2-27FE-4C66-A65C-EECB7CFA18E7}]
2011-09-02 18:33 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2011-09-02 18:33 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoodSync"="p:\program files\Siber Systems\GoodSync\GoodSync.exe" [2012-06-26 10588376]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"chromium"="c:\users\John\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-08-07 1229848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AgentMonitor"="c:\program files (x86)\VTech\DownloadManager\System\AgentMonitor.exe" [2011-12-13 357800]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - p:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2009-7-8 267520]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2010-9-22 15360]
ScanSnap Manager.lnk - c:\program files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe [2010-9-22 1056768]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-10-26 666992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-02 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-07-18 86016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 19:02]
.
2011-05-29 c:\windows\Tasks\GoodSync - Video - DVD Rips.job
- p:\program files\Siber Systems\GoodSync\gsync.exe [2012-06-26 03:55]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-06 16:16]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-06 16:16]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-08 03:47]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-08 03:47]
.
2012-08-09 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files (x86)\Realtek\RTNICDiag\RTNICDiag.exe [2008-11-04 11:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0WualaOverlayIcon1]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2011-05-26 14:11 592384 ----a-w- c:\program files (x86)\Wuala OverlayIcons\OverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0WualaOverlayIcon2]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2011-05-26 14:11 592384 ----a-w- c:\program files (x86)\Wuala OverlayIcons\OverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0WualaOverlayIcon3]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2011-05-26 14:11 592384 ----a-w- c:\program files (x86)\Wuala OverlayIcons\OverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0WualaOverlayIcon4]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2011-05-26 14:11 592384 ----a-w- c:\program files (x86)\Wuala OverlayIcons\OverlayIcon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1EldosIconOverlay]
@="{8D4EFDB2-27FE-4C66-A65C-EECB7CFA18E7}"
[HKEY_CLASSES_ROOT\CLSID\{8D4EFDB2-27FE-4C66-A65C-EECB7CFA18E7}]
2011-09-02 18:33 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2011-09-02 18:33 191504 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6431232]
"PMX Daemon"="ICO.EXE" [2006-11-08 91648]
"LogMeIn GUI"="p:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2008-07-24 57928]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 242192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://mail.google.com/mail/u/0/?shva=1#sent
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Send image to &Bluetooth Device... - p:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - p:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: amazon.com\www
Trusted Zone: homeserver.com\sierranet-hp
Trusted Zone: hpshare.net\www.sierranet
Trusted Zone: intuit.com\ttlc
Trusted Zone: member-data.com\www
TCP: DhcpNameServer = 71.243.0.12 68.237.161.12 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\hylrm7mr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=WLEM
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - p:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - p:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-Skytel - Skytel.exe
AddRemove-Asset Control - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp DSP Effects - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{5FF49FE8-B332-4CB9-B102-FB6951629E55}"=hex:51,66,7a,6c,4c,1d,38,12,86,9c,e7,
5b,00,fd,d7,09,ce,14,b8,29,54,3c,da,41
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:14,bc,79,15,5d,37,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ee,f0,9b,0f,16,79,65,4e,a9,83,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ee,f0,9b,0f,16,79,65,4e,a9,83,aa,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
p:\program files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
p:\program files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2012-08-09 08:48:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-09 12:48
.
Pre-Run: 11,105,431,552 bytes free
Post-Run: 11,651,383,296 bytes free
.
- - End Of File - - C05A2458F60A37592EA9025673248587

Jay Pfoutz · Aug 9, 2012

That's okay. ComboFix uses SwearWare and a dummy kernel mode driver to elevate its permissions to Admin level.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

John Gr · Aug 10, 2012

Hi DMJ.

Hmmm.... I ended up running ESET scanner twice. My wife or son must have interrupted the first by closing the window (I don't know if that happened during or after it ran), so I never saw ESET Scanner's "finished" window. However, I did look at the log file after the first run and it seemed to me like it hadn't finished correctly since it was only 4 lines. (It looked basically the same as what I will paste below. So overnight, I ran it again. It ran for more than 4 hours (I have almost 5TB of drives and files on this monster).

This morning, the "finished" screen reported 800,000+ files scanned and no infections found, no files cleaned. I closed that window without grabbing a screen capture. However, the log file doesn't show anything about the scan itself, just some basic installation logs (seemingly...) The time stamp on the log file is from when I started the scan and not from when I finished it.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

The log file was actually at: C:\Program Files (x86)\ESET\ESET Online Scanner\Quarantine

Also there appears to be a few files in the Quarantine folder from the first time it ran.... I have uploaded a screenshot of those files and will upload the files themselves if you ask.

Anyway, let me know if this looks wrong... (and sorry if I'm over-reporting this, I just wanted to pass along my thoughts since It seemed wrong to me.

Thanks

John

Jay Pfoutz · Aug 11, 2012

That's fine! Excellent work.

Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name I.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive I.e. C
For a few moments the system will make some calculations:
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

Cleaned System Restore
Ran OTC
Ran CCleaner
Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

John Gr · Aug 11, 2012

Cleaned System Restore
Ran OTC
Ran CCleaner
Ran Security Check

Computer seems to be running fine, except that:

MSE Definitions update fails (I have not tried an uninstall / reinstall, but that would be my guess...)
Windows firewall service is not running and cannot be turned on at the moment.(see attached image)

Security Check Log:

Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java(TM) 6 Update 26
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player10.0.42.34 Flash Player out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox (3.0.3) Firefox out of Date!
Mozilla Thunderbird (3.1.19) Thunderbird out of Date!
Google Chrome 21.0.1180.60
Google Chrome 21.0.1180.75
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

John Gr · Aug 11, 2012

By the way, I assume I should update Jave and Flash as well as firefox and thunderbird (neither of which I really use any more). I won'd do this until you say so...

Jay Pfoutz · Aug 12, 2012

Yes a reinstall of MSE is best so its services can be fixed.

Follow this to fix Windows Firewall problems: http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Update Java

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

John Gr · Aug 12, 2012

I'm in the process of fixing these things now, but most notably, the Windows Firewall Repair tool was not able to solve the problem...

Also, I just noticed that Windows Update fails... (see attached).

Is it possible that the virus removed (deleted permanently) files, services, or dlls related to these processes?

John Gr · Aug 13, 2012

After some googling today, I have found and fixed both of my remaining problems:

In case you run into any others with these issues after the virus removal, here is what worked for me...

For Windows Update failure, it was returning the error: [FONT=Arial] "errors found code 80246008" This was [/FONT]caused by the BITS service being removed / unregistered from services. To add it back I had to do:

At an elevated command prompt: [FONT=Arial]sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto Then either restart, or go into Services (run: services.msc) and restart it yourself.[/FONT]

Source: http://answers.microsoft.com/en-us/...bits-not/c69ba6ad-bf60-4e53-9b7b-f97e9436e529

For Windows Firewall Service Failing to start, it was returning the error [FONT=Verdana]"1068: dependancy service or group failed to start"[/FONT] It turns out it was the Base Filter Engine service which would not start. The reasons are beyond my skill set, but explained in the link below. To add it back I followed instructions here:

Requires registry edits...

[FONT=Segoe UI][FONT=inherit][FONT=Calibri]1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions.[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]2. In the "Permissions for Policy" window, click advanced | Add.[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]3. Once the "Select Users, Computers or Group" box appears, change the "From this location:" to point to the local machine name.[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]4. After changing the search location, enter "NT Service\BFE" in the "Enter the object name to select" box and click "Check names" - this will allow you to add the BFE account.[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]5. Give the following privileges to the BFE account:[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=Calibri] [/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Query Value[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Set Value[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Create Subkey[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Enumerate Subkeys[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Notify[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]Read Control[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=Calibri] [/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri]After adding the BFE account to the registry key, please try to start the Base Filtering Engine service and then the Windows Firewall service.[/FONT][/FONT][/FONT]
[FONT=Segoe UI][FONT=inherit][FONT=Calibri][/FONT][/FONT][/FONT]

Source:http://social.technet.microsoft.com.../thread/d8e59632-fca9-4bbd-b748-881af144706a/

Jay Pfoutz · Aug 13, 2012

Good job!

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?

Jay Pfoutz · Aug 18, 2012

Topic marked as solved. √

Solved Embarrassed to have several virus infections

Posts: 11 +0

Posts: 11 +0

Posts: 4,279 +49

Posts: 11 +0

Posts: 4,279 +49

Posts: 11 +0

Posts: 4,279 +49

Posts: 11 +0

Posts: 11 +0

Posts: 4,279 +49

Posts: 11 +0

Attachments

Posts: 4,279 +49

Posts: 11 +0

Attachments

Posts: 11 +0

Posts: 4,279 +49

Posts: 11 +0

Attachments

Posts: 11 +0

Posts: 4,279 +49

Posts: 4,279 +49

Similar threads