Solved Hi - TrojanZeroAccessinf - please bail me out!

Hi Broni

Here's the checkup.txt log

I did get the following message when I ran it:

AutoIt Error
Line 1
Error: Variable must be of the type "Object"

After acknowledging the error by clicking ok Security Check ran fine

FSS.txt log coming next

Results of screen317's Security Check version 0.99.51
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Java(TM) 6 Update 31
Java(TM) SE Runtime Environment 6 Update 1
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X (10.1.4)
Mozilla Firefox (for.)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
 
Hi Broni

Here's the FSS.txt log

Entries in the checkup.txt log above turned red by themselves !

AdwCleaner[R1].txt log coming next

Farbar Service Scanner Version: 06-08-2012
Ran by Mark (administrator) on 17-09-2012 at 10:11:39
Running from "C:\Users\Mark\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****
 
Hi Broni

Here's the AdwCleaner(R1).txt log

Will run TFC next - no log?

# AdwCleaner v2.002 - Logfile created 09/17/2012 at 10:18:08
# Updated 16/09/2012 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Mark - MARK-PC
# Boot Mode : Normal
# Running from : C:\Users\Mark\Downloads\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****
Folder Found : C:\Program Files\Viewpoint
Folder Found : C:\ProgramData\Viewpoint
***** [Registry] *****
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\SOFTWARE\Software
Key Found : HKLM\Software\Viewpoint
Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Google Chrome v21.0.1180.89
File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [2929 octets] - [17/09/2012 10:18:08]
########## EOF - C:\AdwCleaner[R1].txt - [2989 octets] ##########
 
Hi Broni

Ran TFC

My side bar has disappeared ( clock and calendar ) but they will be easy to restore

I did get the following message when I closed AdwCleaner:

'By only using Search Mode AdwCleaner has not removed detected items. To perform the deletion of items found, restart AdwCleaner and then click on 'Delete', unless you were asked to use only the search mode'.

I accepted the message as I was using search mode only

ESET Online Scanner next
 
Hi Broni

Here's the ESETScan log

C:\TDSSKiller_Quarantine\08.09.2012_17.15.34\zasubsys0000\file0000\tsk0000.dta Win32/Sirefef.FB.Gen trojan deleted - quarantined
C:\Users\Mark\Documents\IWONGlobal.exe Win32/Toolbar.MyWebSearch application deleted - quarantined
 
Hi Broni

Computer definitely running faster, but...

a) cannot find side bar - clock, calendar etc

b) no sound - no response to mute, volume up / down buttons on keyboard, no sound through headphones
 
Is your Norton 360 in working condition?
I don't see it listed by Security Check.

================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

===================================

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

====================================

We have some registry keys missing so...

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22001645.gif




Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

p22001646.gif



Go to Step 4 and under "System Restore" click on Create button:

p22001644.gif



Go to Start Repairs tab and click Start button.

p22001166.gif



Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

p22001647.gif


Click on box next to the Restart System when Finished. Then click on Start.

Post new FSS log.
 
Hi Broni - many thanks

Here's the AdwCleaner(S1).txt.log

I uninstalled Norton 360 - I think it was causing the computer to be unstable, continually shutting down / restarting. The error message I kept getting pointed to a fault with Norton itself, so I uninstalled it - computer stabilised immediately. I had only installed it a week last Friday - it detected the zeroaccess trojan, but appeared to be problematic since, so I decided Norton had to go

# AdwCleaner v2.002 - Logfile created 09/17/2012 at 17:58:15
# Updated 16/09/2012 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Mark - MARK-PC
# Boot Mode : Normal
# Running from : C:\Users\Mark\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\ProgramData\Viewpoint
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Software
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
-\\ Google Chrome v21.0.1180.89
File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [3058 octets] - [17/09/2012 10:18:08]
AdwCleaner[S1].txt - [3037 octets] - [17/09/2012 17:58:15]
########## EOF - C:\AdwCleaner[S1].txt - [3097 octets] ##########
 
Hi Broni

Here's the Windows Repair log

Starting Repairs...
Start (17/09/2012 19:31:26)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (17/09/2012 19:31:26)
Done (17/09/2012 19:31:33)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (17/09/2012 19:31:33)
Done (17/09/2012 19:34:49)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (17/09/2012 19:34:49)
Done (17/09/2012 19:35:15)
Reset File Permissions 01/18
C:\Boot & Sub Folders
Start (17/09/2012 19:35:15)
Done (17/09/2012 19:35:17)
Reset File Permissions 02/18
C:\DKMM & Sub Folders
Start (17/09/2012 19:35:17)
Done (17/09/2012 19:35:20)
Reset File Permissions 03/18
C:\Games & Sub Folders
Start (17/09/2012 19:35:20)
Done (17/09/2012 19:35:22)
Reset File Permissions 04/18
C:\hiberfil.sys & Sub Folders
Start (17/09/2012 19:35:22)
Done (17/09/2012 19:35:28)
Reset File Permissions 05/18
C:\hp & Sub Folders
Start (17/09/2012 19:35:28)
Done (17/09/2012 19:35:47)
Reset File Permissions 06/18
C:\MMAPP & Sub Folders
Start (17/09/2012 19:35:47)
Done (17/09/2012 19:35:49)
Reset File Permissions 07/18
C:\NBRT & Sub Folders
Start (17/09/2012 19:35:49)
Done (17/09/2012 19:35:52)
Reset File Permissions 08/18
C:\PerfLogs & Sub Folders
Start (17/09/2012 19:35:52)
Done (17/09/2012 19:35:54)
Reset File Permissions 09/18
C:\Program Files & Sub Folders
Start (17/09/2012 19:35:54)
Done (17/09/2012 19:45:05)
Reset File Permissions 10/18
C:\ProgramData & Sub Folders
Start (17/09/2012 19:45:05)
Done (17/09/2012 19:46:03)
Reset File Permissions 11/18
C:\Qoobox & Sub Folders
Start (17/09/2012 19:46:03)
Done (17/09/2012 19:46:06)
Reset File Permissions 12/18
C:\Setup & Sub Folders
Start (17/09/2012 19:46:06)
Done (17/09/2012 19:46:08)
Reset File Permissions 13/18
C:\TDSSKiller_Quarantine & Sub Folders
Start (17/09/2012 19:46:08)
Done (17/09/2012 19:46:11)
Reset File Permissions 14/18
C:\temp & Sub Folders
Start (17/09/2012 19:46:11)
Done (17/09/2012 19:46:13)
Reset File Permissions 15/18
C:\Tweaking.com_Windows_Repair_Logs & Sub Folders
Start (17/09/2012 19:46:13)
Done (17/09/2012 19:46:15)
Reset File Permissions 16/18
C:\Windows & Sub Folders
Start (17/09/2012 19:46:15)
Done (17/09/2012 19:53:32)
Reset File Permissions 17/18
C:\_OTL & Sub Folders
Start (17/09/2012 19:53:32)
Done (17/09/2012 19:53:34)
Reset File Permissions 18/18
C:\_torrents & Sub Folders
Start (17/09/2012 19:53:34)
Done (17/09/2012 19:53:59)
Register System Files
Start (17/09/2012 19:53:59)
Done (17/09/2012 19:54:10)
Repair WMI
Start (17/09/2012 19:54:10)
Step 01/03 - Deleting WMI Repository...
The system cannot find the path specified.
Step 02/03 - Rebuilding WMI Repository...
Step 03/03 - Registering WMI...
Invalid Global Switch.
Done (17/09/2012 19:54:52)
Repair Windows Firewall
Start (17/09/2012 19:54:52)
The Windows Firewall service is not started.
More help is available by typing NET HELPMSG 3521.
System error 1060 has occurred.
The specified service does not exist as an installed service.
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
Done (17/09/2012 19:55:04)
Repair Internet Explorer
Start (17/09/2012 19:55:04)
Done (17/09/2012 19:55:11)
Remove Policies Set By Infections
Start (17/09/2012 19:55:11)
Done (17/09/2012 19:55:13)
Repair Winsock & DNS Cache
Start (17/09/2012 19:55:13)
Done (17/09/2012 19:55:20)
Repair Proxy Settings
Start (17/09/2012 19:55:20)
Done (17/09/2012 19:55:22)
Repair Windows Updates
Start (17/09/2012 19:55:22)
System error 1060 has occurred.
The specified service does not exist as an installed service.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\edb.log - The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\{127D0~1\catdb - The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\{F750E~1\catdb - The process cannot access the file because it is being used by another process.
'proxycfg.exe' is not recognized as an internal or external command,
operable program or batch file.
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
Done (17/09/2012 19:55:28)
Set Windows Services To Default Startup
Start (17/09/2012 19:55:28)
Done (17/09/2012 19:55:31)
Repair MSI (Windows Installer)
Start (17/09/2012 19:55:31)
The Windows Installer service is not started.
More help is available by typing NET HELPMSG 3521.
Done (17/09/2012 19:55:35)
Cleaning up empty logs...
All Selected Repairs Done.
Done (17/09/2012 19:55:35)
Total Repair Time: 00:24:09

...YOU MUST RESTART YOUR SYSTEM...
 
Hi Broni

I've run Norton Removal Tool

Should I uninstall FSS, OTL, TFC, Tweaking, AdwCleaner etc before I install Avast! free antivirus or Microsoft Security Essentials or Comodo Antivirus ?
 
Thanks Broni

Here's a fresh FSS log

Farbar Service Scanner Version: 06-08-2012
Ran by Mark (administrator) on 17-09-2012 at 20:41:02
Running from "C:\Users\Mark\Downloads"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****
 
We still have couple of registry keys missing.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.

Double click on windefend.reg file and confirm the prompt.
Double click on bits.reg file and confirm the prompt.

Restart computer.
Post new FSS log.
 
Hi Broni

Here's a fresh FSS log


Farbar Service Scanner Version: 06-08-2012

Ran by Mark (administrator) on 17-09-2012 at 21:26:21

Running from "C:\Users\Mark\Downloads"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

 

Windows Firewall:

=============

Firewall Disabled Policy:

==================

 

System Restore:

============

System Restore Disabled Policy:

========================

 

Security Center:

============

Windows Update:

============

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

 

Windows Autoupdate Disabled Policy:

============================

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Disabled. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

Other Services:

==============

 

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

 

**** End of log ****
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

13. Please, let me know, how your computer is doing.
 
Hi Broni - thanks a million :)

Here's the OTL log

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mark
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 214489655 bytes
->Java cache emptied: 1878 bytes
->Google Chrome cache emptied: 6987897 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 706 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27135 bytes
RecycleBin emptied: 283683 bytes

Total Files Cleaned = 212.00 mb
 
Hi Broni - thank you

We're looking good (y)

a) computer running faster than Usain Bolt

b) sidebar back - with Avast! in pole position

c) sound back to normal

d) Internet running fine

Besides installing Avast! I also installed Secunia PSI

I have changed all important passwords

Read the Bleeping Computer advice on how I got infected and how to practise safe Internet

Please advise:

I had a look in Windows Updates in Control Panel and can see there are 12 important updates waiting to be installed - these are:

Cumulative Security Update for Internet Explorer 9 for Windows Vista (KB2722913)
Download size: 11.3 MB

Security Update for Microsoft Office 2007 suites (KB2596615)
Download size: 7.4 MB

Security Update for Microsoft Office 2007 suites (KB2596856)
Download size: 1.3 MB

Security Update for Windows Vista (KB2655992)
Download size: 1.2 MB


Security Update for Windows Vista (KB2691442)
Download size: 4.0 MB

Security Update for Windows Vista (KB2698365)
Download size: 875 KB

Security Update for Windows Vista (KB2705219)
Download size: 220 KB


Security Update for Windows Vista (KB2712808)
Download size: 1.5 MB

Security Update for Windows Vista (KB2719985)
Download size: 950 KB

Security Update for Windows Vista (KB2731847)
Download size: 1.0 MB

Update Rollup for ActiveX Killbits for Windows Vista (KB2736233)
Download size: 48 KB

Windows Malicious Software Removal Tool - September 2012 (KB890830)
Download size: 16.1 MB

There are also 5 Optional updates available:

HP - Display - HP w2408 Wide LCD Monitor
Download size: 59 KB

Intel - Storage - Intel(R) ICH8R/ICH9R/ICH10R/DO SATA RAID Controller
Download size: 178 KB

nVidia - Display, Other hardware - NVIDIA GeForce 8600 GT
Download size: 165.2 MB

Realtek Semiconductor Corp. - Audio - Realtek High Definition Audio
Download size: 11.2 MB

Update for Windows Vista - English (KB937286)
Download size: 24.0 MB
 
Back