TechSpot

Sirefef.AH infection... please help

By RebootTech
Sep 6, 2012
  1. Same as other posters, Sirefef.AH infection, MSE finds it, does nothing, computer reboots after a minute. I renamed C:\Windows\System32\services.exe to services.exe.bak just to stop the reboots. Here's the Farbar log:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) (x86) Version: 05-09-2012
    Ran by SYSTEM at 06-09-2012 13:57:33
    Running from F:\
    Windows 7 Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Adam\...\Run: [EPSON Stylus CX7800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\Windows\TEMP\E_S7C96.tmp" /EF "HKCU" [177664 2007-01-23] (SEIKO EPSON CORPORATION)
    Winlogon\Notify\VESWinlogon: VESWinlogon.dll (Sony Corporation)
    Tcpip\Parameters: [DhcpNameServer] 208.67.222.222 208.67.220.220 205.171.3.25
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\MRI_DISABLED ()

    ==================== Services ================================

    2 EPSON_PM_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [57344 2006-10-04] (Sony Corporation)
    2 MSSQL$VAIO_VEDB; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB [29293408 2010-12-10] (Microsoft Corporation)
    3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-10-04] (Sony Corporation)
    3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-10-04] (Sony Corporation)
    3 SSScsiSV; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [69632 2006-11-13] (Sony Corporation)
    3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe" [73728 2006-09-21] (Sony Corporation)
    2 VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [182392 2006-11-24] (Sony Corporation)
    3 VAIOMediaPlatform-IntegratedServer-AppServer; C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe [2523136 2006-10-24] (Sony Corporation)
    3 VAIOMediaPlatform-IntegratedServer-UPnP; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [1089536 2006-10-11] (Sony Corporation)
    3 VAIOMediaPlatform-UCLS-AppServer; C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [741376 2006-10-11] (Sony Corporation)
    3 VAIOMediaPlatform-UCLS-UPnP; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [1089536 2006-10-11] (Sony Corporation)
    3 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [274432 2006-08-23] (Sony Corporation)
    2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
    2 VzCdbSvc; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [172032 2006-09-26] (Sony Corporation)
    2 VzFw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [135168 2006-09-26] (Sony Corporation)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    3 VAIOMediaPlatform-IntegratedServer-HTTP; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP" [x]
    3 VAIOMediaPlatform-Mobile-Gateway; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server" [x]
    3 VAIOMediaPlatform-UCLS-HTTP; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" [x]

    ==================== Drivers =================================

    3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [6144 2007-01-09] (Chic)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [43872 2008-11-20] (Sonic Solutions)
    3 R5U870FLx86; C:\Windows\System32\Drivers\R5U870FLx86.sys [72704 2006-11-28] (Ricoh)
    3 R5U870FUx86; C:\Windows\System32\Drivers\R5U870FUx86.sys [43904 2006-11-28] (Ricoh)
    4 SI3132; C:\Windows\system32\DRIVERS\SI3132.sys [74672 2006-11-20] (Silicon Image, Inc.)
    0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [17328 2006-11-20] (Silicon Image, Inc.)
    0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [12464 2006-11-20] (Silicon Image, Inc.)
    3 SNC; C:\Windows\System32\Drivers\SonyNC.sys [27520 2006-11-06] (Sony Corporation)
    3 SonyImgF; C:\Windows\System32\DRIVERS\SonyImgF.sys [30976 2006-11-08] (Sony Corporation)
    3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [227328 2006-11-10] (Texas Instruments)
    0 7ef8d626d959ac7d; C:\Windows\System32\Drivers\7ef8d626d959ac7d.sys [x]
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]

    ==================== NetSvcs (Whitelisted) =================


    ============ One Month Created Files and Folders ==============

    2012-09-06 13:57 - 2012-09-06 13:57 - 00000000 ____D C:\FRST
    2012-09-06 11:43 - 2012-09-06 11:43 - 00007586 ____A C:\Users\Adam\Downloads\WinDefend.reg
    2012-09-06 11:43 - 2012-09-06 11:42 - 00005256 ____A C:\Users\Adam\Downloads\wscsvc.reg
    2012-09-06 11:18 - 2012-09-06 11:18 - 00176940 ____A C:\Users\Adam\Downloads\BFE.reg
    2012-09-06 11:18 - 2012-09-06 11:18 - 00006396 ____A C:\Users\Adam\Downloads\MpsSvc.reg
    2012-09-06 11:15 - 2012-09-06 11:15 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Adam\Downloads\tdsskiller.exe
    2012-09-06 11:11 - 2012-09-06 11:12 - 00003193 ____A C:\Windows\WindowsUpdate.log
    2012-09-06 11:10 - 2012-09-06 11:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-06 11:09 - 2012-08-28 19:10 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-09-06 11:09 - 2012-08-28 19:10 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-09-06 11:09 - 2012-08-28 19:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-09-06 11:01 - 2012-09-06 11:01 - 00000702 ____A C:\Windows\PFRO.log
    2012-09-06 10:48 - 2012-09-06 10:48 - 00003304 ____N C:\bootsqm.dat
    2012-08-26 12:48 - 2012-08-26 12:48 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.bak
    2012-08-25 20:29 - 2012-09-06 11:34 - 00051706 ____A C:\Windows\setupact.log
    2012-08-25 20:29 - 2012-08-25 20:29 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-25 19:26 - 2012-08-25 19:26 - 00282306 ____A C:\backup.reg
    2012-08-25 17:50 - 2010-07-07 05:29 - 00363520 ____A C:\Users\Adam\Documents\rkill.exe
    2012-08-25 16:00 - 2012-08-25 20:24 - 00000000 ____D C:\Users\Adam\Documents\a-squared Free
    2012-08-25 16:00 - 2012-08-25 20:24 - 00000000 ____D C:\Program Files\a-squared Free
    2012-08-24 07:19 - 2012-08-24 07:19 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-24 07:19 - 2012-08-24 07:19 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-22 15:22 - 2012-08-28 19:24 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-08-22 08:03 - 2012-08-22 08:03 - 00000000 ____D C:\Users\Adam\AppData\Local\{FDFD79AF-899A-D0B0-096B-A4A0E88FB9D2}
    2012-08-21 14:04 - 2012-08-27 17:05 - 00000385 ____A C:\rkill.log
    2012-08-20 14:39 - 2012-08-20 14:39 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-20 13:36 - 2012-08-20 13:36 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
    2012-08-20 13:35 - 2012-08-24 11:16 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2012-08-20 13:31 - 2012-08-20 13:31 - 00000000 ____D C:\Program Files\CCleaner
    2012-08-20 13:02 - 2012-08-20 14:09 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-20 13:02 - 2012-08-20 13:02 - 00000000 ____D C:\Users\Adam\AppData\Roaming\Malwarebytes
    2012-08-20 13:01 - 2012-08-20 14:09 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-08-20 13:01 - 2012-08-20 13:01 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-18 13:58 - 2012-08-18 13:58 - 00000000 ____D C:\Users\All Users\Geek Squad
    2012-08-16 06:51 - 2012-08-22 07:51 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-08-14 23:13 - 2012-08-14 23:15 - 00000000 ____D C:\Users\Adam\Documents\Lyrics
    2012-08-09 10:57 - 2012-08-09 10:58 - 00000000 ___HD C:\Users\Adam\AppData\Local\CutePDF Writer
    2012-08-09 10:55 - 2012-08-09 10:55 - 05254656 ____A C:\Users\Adam\Downloads\converter.exe

    ============ 3 Months Modified Files ========================

    2012-09-06 12:38 - 2010-11-22 16:07 - 00808926 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-06 11:58 - 2010-11-22 16:04 - 00009728 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-06 11:58 - 2010-11-22 16:04 - 00009728 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-06 11:46 - 2009-12-21 16:14 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-06 11:44 - 2011-03-27 22:26 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2218131356-71786554-3709945380-1005UA.job
    2012-09-06 11:43 - 2012-09-06 11:43 - 00007586 ____A C:\Users\Adam\Downloads\WinDefend.reg
    2012-09-06 11:42 - 2012-09-06 11:43 - 00005256 ____A C:\Users\Adam\Downloads\wscsvc.reg
    2012-09-06 11:35 - 2009-12-21 16:14 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-06 11:34 - 2012-08-25 20:29 - 00051706 ____A C:\Windows\setupact.log
    2012-09-06 11:34 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-06 11:18 - 2012-09-06 11:18 - 00176940 ____A C:\Users\Adam\Downloads\BFE.reg
    2012-09-06 11:18 - 2012-09-06 11:18 - 00006396 ____A C:\Users\Adam\Downloads\MpsSvc.reg
    2012-09-06 11:15 - 2012-09-06 11:15 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Adam\Downloads\tdsskiller.exe
    2012-09-06 11:12 - 2012-09-06 11:11 - 00003193 ____A C:\Windows\WindowsUpdate.log
    2012-09-06 11:11 - 2012-06-25 06:58 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-06 11:01 - 2012-09-06 11:01 - 00000702 ____A C:\Windows\PFRO.log
    2012-09-06 10:48 - 2012-09-06 10:48 - 00003304 ____N C:\bootsqm.dat
    2012-08-28 19:24 - 2012-08-22 15:22 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
    2012-08-28 19:24 - 2010-06-12 08:23 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-08-28 19:10 - 2012-09-06 11:09 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-08-28 19:10 - 2012-09-06 11:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-08-28 19:09 - 2012-09-06 11:09 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-08-27 17:05 - 2012-08-21 14:04 - 00000385 ____A C:\rkill.log
    2012-08-26 12:48 - 2012-08-26 12:48 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.bak
    2012-08-26 12:46 - 2009-03-26 10:42 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
    2012-08-25 20:29 - 2012-08-25 20:29 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-25 19:26 - 2012-08-25 19:26 - 00282306 ____A C:\backup.reg
    2012-08-25 17:43 - 2009-07-13 18:04 - 00002577 ____A C:\Windows\System32\config.nt
    2012-08-24 07:19 - 2012-08-24 07:19 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-24 07:19 - 2012-08-24 07:19 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-23 16:36 - 2011-03-27 22:26 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2218131356-71786554-3709945380-1005Core.job
    2012-08-22 07:51 - 2012-08-16 06:51 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-08-20 14:09 - 2012-08-20 13:02 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-18 20:17 - 2009-07-13 20:33 - 00421128 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-16 07:33 - 2011-08-21 16:13 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-08-09 10:55 - 2012-08-09 10:55 - 05254656 ____A C:\Users\Adam\Downloads\converter.exe
    2012-08-05 13:13 - 2009-07-13 20:53 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-03 13:52 - 2012-03-26 18:07 - 00111296 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-02 11:21 - 2011-05-11 21:02 - 00014294 ____A C:\Users\Adam\Desktop\chrome - Shortcut.lnk
    2012-07-17 13:51 - 2012-04-02 18:55 - 00001784 ____A C:\Users\All Users\hpzinstall.log
    2012-07-11 11:04 - 2006-11-02 02:23 - 00000275 ____A C:\Windows\win.ini
    2012-07-02 21:20 - 2012-07-02 21:16 - 00000035 ___AH C:\Users\Adam\Downloads\.picasa.ini
    2012-06-25 06:54 - 2012-06-25 06:54 - 10288512 ____A (Microsoft Corporation) C:\Users\Adam\Downloads\mseinstall.exe
    2012-06-17 21:55 - 2012-06-17 21:55 - 02541793 ___AH C:\Users\Adam\Downloads\IMG_0525.MOV
    2012-06-12 10:16 - 2012-06-12 10:16 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-11 18:40 - 2012-07-11 10:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys


    ZeroAccess:
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\@
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\L
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\U
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\L\00000004.@
    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\L\201d3dde

    ZeroAccess:
    C:\Users\Adam\AppData\Local\{ee472909-d0be-7134-7b4e-ff34111e9ebc}
    C:\Users\Adam\AppData\Local\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\@
    C:\Users\Adam\AppData\Local\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\L
    C:\Users\Adam\AppData\Local\{ee472909-d0be-7134-7b4e-ff34111e9ebc}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 2038.18 MB
    Available physical RAM: 1636.9 MB
    Total Pagefile: 2038.18 MB
    Available Pagefile: 1642.61 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1970.3 MB

    ==================== Partitions ============================

    1 Drive c: () (Fixed) (Total:142.68 GB) (Free:97.17 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Recovery) (Fixed) (Total:6.36 GB) (Free:0.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: () (Removable) (Total:14.92 GB) (Free:14.92 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 3072 KB
    Disk 1 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 6509 MB 1024 KB
    Partition 2 Primary 142 GB 6510 MB
    Partition 3 Primary 10 MB 149 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D Recovery NTFS Partition 6509 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 142 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 14 GB Healthy

    ==================================================================================

    Last Boot: 2012-08-21 16:59

    ==================== End Of Log =============================
     
  2. RebootTech

    RebootTech TS Rookie Topic Starter

    And search results. Running Windows 7 32 FYI, and MalwareBytes found nothing in latest run.

    Farbar Recovery Scan Tool (x86) Version: 05-09-2012
    Ran by SYSTEM at 2012-09-06 14:12:05
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    === End Of Search ===
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  4. RebootTech

    RebootTech TS Rookie Topic Starter

    Things seem to be running fine now...no reboots. Running a MSE scan now to see if it finds the files like it did before.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-09-2012
    Ran by SYSTEM at 2012-09-07 06:50:04 Run:1
    Running from F:\

    ==============================================

    C:\Windows\Installer\{ee472909-d0be-7134-7b4e-ff34111e9ebc} moved successfully.
    C:\Users\Adam\AppData\Local\{ee472909-d0be-7134-7b4e-ff34111e9ebc} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.

    ==== End of Fixlog ====
     
  5. RebootTech

    RebootTech TS Rookie Topic Starter

    Ok, after looking through computer, it appears it won't let me enable Windows Firewall or Windows Defender. No error message for Firewall, it just won't enable. For Defender, it turns on and gives me a message that says definitions are out of date, but then switches to saying a problem caused this program's service to stop. Starting the service repeats the process...definitions are out of date, service stops.
     
  6. RebootTech

    RebootTech TS Rookie Topic Starter

    Aaaaaand Windows Update is also broken. "Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer."
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    We'll get these issues fixed...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  8. RebootTech

    RebootTech TS Rookie Topic Starter

    ComboFix 12-09-07.03 - Adam 09/07/2012 11:24:28.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2038.1040 [GMT -7:00]
    Running from: c:\users\Adam\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\config.ini
    c:\windows\Downloaded Program Files\Temp
    c:\windows\system32\FlashPlayerInstaller.exe
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-07 to 2012-09-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-07 18:38 . 2012-09-07 18:40--------d-----w-c:\users\Adam\AppData\Local\temp
    2012-09-07 18:38 . 2012-09-07 18:38--------d-----w-c:\users\Guest\AppData\Local\temp
    2012-09-07 18:38 . 2012-09-07 18:38--------d-----w-c:\users\Default\AppData\Local\temp
    2012-09-07 17:34 . 2012-07-03 20:4622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-09-07 16:59 . 2012-09-07 17:28--------d-----w-c:\windows\system32\wbem\repository
    2012-09-07 16:10 . 2012-08-28 08:507022536----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8643A902-DB0A-48FF-8061-60CEDB9B644E}\mpengine.dll
    2012-09-07 16:06 . 2012-08-28 08:507022536----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-09-07 16:06 . 2012-09-07 16:06--------d-----w-c:\program files\Common Files\Skype
    2012-09-07 15:54 . 2012-05-04 09:59514560----a-w-c:\windows\system32\qdvd.dll
    2012-09-06 21:57 . 2012-09-06 21:57--------d-----w-C:\FRST
    2012-09-06 21:55 . 2012-09-06 21:55--------d-----w-c:\program files\Magical Jelly Bean
    2012-09-06 19:37 . 2012-09-06 19:37--------d-----w-C:\Temp
    2012-09-06 19:13 . 2012-02-09 21:17713784------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F56FECE5-7AF3-4222-BA43-874E29D9EA68}\gapaengine.dll
    2012-09-06 19:10 . 2012-09-06 19:11--------d-----w-c:\program files\Microsoft Security Client
    2012-08-26 20:48 . 2012-08-26 20:48259072----a-w-c:\windows\system32\services.exe.bak
    2012-08-26 03:26 . 2012-08-26 03:26282306----a-w-C:\backup.reg
    2012-08-26 00:00 . 2012-08-26 04:24--------d-----w-c:\program files\a-squared Free
    2012-08-24 15:19 . 2012-08-24 15:1973416----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-08-24 15:19 . 2012-08-24 15:19696520----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-22 23:22 . 2012-08-29 03:24477168----a-w-c:\windows\system32\npdeployJava1.dll
    2012-08-20 22:39 . 2012-08-20 22:39--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-08-20 21:36 . 2012-08-20 21:36--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2012-08-20 21:35 . 2012-08-24 19:16--------d-----w-c:\program files\SUPERAntiSpyware
    2012-08-20 21:31 . 2012-08-20 21:31--------d-----w-c:\program files\CCleaner
    2012-08-20 21:02 . 2012-08-20 21:02--------d-----w-c:\users\Adam\AppData\Roaming\Malwarebytes
    2012-08-20 21:01 . 2012-08-20 21:01--------d-----w-c:\programdata\Malwarebytes
    2012-08-20 21:01 . 2012-09-07 17:34--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-08-18 21:58 . 2012-08-18 21:58--------d-----w-c:\programdata\Geek Squad
    2012-08-16 14:52 . 2012-05-05 07:46400896----a-w-c:\windows\system32\srcore.dll
    2012-08-16 14:52 . 2012-07-18 17:472345984----a-w-c:\windows\system32\win32k.sys
    2012-08-16 14:52 . 2012-02-11 05:43492032----a-w-c:\windows\system32\win32spl.dll
    2012-08-16 14:52 . 2012-02-11 05:37317440----a-w-c:\windows\system32\spoolsv.exe
    2012-08-16 14:52 . 2012-07-04 21:14102912----a-w-c:\windows\system32\browser.dll
    2012-08-16 14:52 . 2012-07-04 21:1441984----a-w-c:\windows\system32\browcli.dll
    2012-08-16 14:52 . 2012-05-14 04:33769024----a-w-c:\windows\system32\localspl.dll
    2012-08-09 18:57 . 2012-08-09 18:58--------d--h--w-c:\users\Adam\AppData\Local\CutePDF Writer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-29 03:24 . 2010-06-12 16:23473072----a-w-c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-11-24 18:3673728----a-w-c:\windows\System32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R0 7ef8d626d959ac7d;syshost.exe;c:\windows\\SystemRoot\System32\Drivers\7ef8d626d959ac7d.sys [x]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [x]
    R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [x]
    R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [x]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [x]
    S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [x]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [x]
    S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [x]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - aswFsBlk
    *Deregistered* - aswMonFlt
    *Deregistered* - aswRdr
    *Deregistered* - aswSP
    *Deregistered* - aswTdi
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPServiceREG_MULTI_SZ HPSLPSVC
    hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-26 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-17 19:07]
    .
    2012-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 00:13]
    .
    2012-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 00:13]
    .
    2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2218131356-71786554-3709945380-1005Core.job
    - c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:15]
    .
    2012-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2218131356-71786554-3709945380-1005UA.job
    - c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-28 15:15]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 205.171.3.25
    FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\2wyuozik.default\
    FF - prefs.js: browser.startup.homepage - www.hotmail.com
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-09-07 11:46:40
    ComboFix-quarantined-files.txt 2012-09-07 18:46
    .
    Pre-Run: 103,972,421,632 bytes free
    Post-Run: 104,049,848,320 bytes free
    .
    - - End Of File - - 28CBCBDC658B342A3D5FE2053B648833
     
  9. RebootTech

    RebootTech TS Rookie Topic Starter

    FYI, Windows Update and Windows Firewall appear to both be working...downloaded about 12 missing updates and now says up to date after a reboot and recheck for updates. Windows Defender is not running still, but not sure I need it with MSE running. MalBytes just found the quarantined files from FRST. Will run again when you give the go ahead and do a full scan.
     
  10. RebootTech

    RebootTech TS Rookie Topic Starter

    I just noticed that svchost.exe is still using around 50% of the CPU all the time. Doesn't seem normal...

    EDIT: Went on for 10-15 minutes, then stopped. Must have just been a boot thing. 97% idle now.
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
     
  12. RebootTech

    RebootTech TS Rookie Topic Starter

    MalwareBytes log:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.09.07.10
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Adam :: MIKE-PC [administrator]
    9/7/2012 3:12:27 PM
    mbam-log-2012-09-07 (15-12-27).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 223806
    Time elapsed: 10 minute(s), 54 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  13. RebootTech

    RebootTech TS Rookie Topic Starter

    ADWCleaner

    # AdwCleaner v1.801 - Logfile created 09/08/2012 at 14:58:43
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Adam - MIKE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Adam\Desktop\adwcleaner.exe
    # Option [Search]

    ***** [Services] *****
    Found : Viewpoint Manager Service
    ***** [Files / Folders] *****
    Folder Found : C:\Users\Adam\AppData\Local\APN
    Folder Found : C:\ProgramData\Trymedia
    Folder Found : C:\ProgramData\Viewpoint
    Folder Found : C:\Program Files\Viewpoint
    File Found : C:\Program Files\Mozilla Firefox\.autoreg
    ***** [Registry] *****
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Found : HKLM\SOFTWARE\Description
    Key Found : HKLM\SOFTWARE\MetaStream
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Found : HKLM\SOFTWARE\Viewpoint
    ***** [Registre - GUID] *****
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    -\\ Mozilla Firefox v3.6.16 (en-US)
    Profile name : default
    File : C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\2wyuozik.default\prefs.js
    [OK] File is clean.
    -\\ Google Chrome v21.0.1180.89
    File : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Preferences
    Found : "description": "The fastest way to search the web.",
    Found : "path": "C:\\Program Files\\Viewpoint\\Viewpoint Experience Technology\\npViewpoint.dll",
    *************************
    AdwCleaner[R1].txt - [2327 octets] - [08/09/2012 14:58:43]
    ########## EOF - C:\AdwCleaner[R1].txt - [2455 octets] ##########
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
     
  15. RebootTech

    RebootTech TS Rookie Topic Starter

    ADW Log:
    # AdwCleaner v1.801 - Logfile created 09/09/2012 at 07:41:51
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Adam - MIKE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Adam\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****
    Stopped & Deleted : Viewpoint Manager Service
    ***** [Files / Folders] *****
    Folder Deleted : C:\Users\Adam\AppData\Local\APN
    Folder Deleted : C:\ProgramData\Trymedia
    Folder Deleted : C:\ProgramData\Viewpoint
    Folder Deleted : C:\Program Files\Viewpoint
    File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
    ***** [Registry] *****
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Deleted : HKLM\SOFTWARE\Description
    Key Deleted : HKLM\SOFTWARE\MetaStream
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Deleted : HKLM\SOFTWARE\Viewpoint
    ***** [Registre - GUID] *****
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    -\\ Mozilla Firefox v3.6.16 (en-US)
    Profile name : default
    File : C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\2wyuozik.default\prefs.js
    [OK] File is clean.
    -\\ Google Chrome v21.0.1180.89
    File : C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Preferences
    Deleted : "description": "The fastest way to search the web.",
    Deleted : "path": "C:\\Program Files\\Viewpoint\\Viewpoint Experience Technology\\npViewpoint.dll",
    *************************
    AdwCleaner[R1].txt - [2456 octets] - [08/09/2012 14:58:43]
    AdwCleaner[S1].txt - [2441 octets] - [09/09/2012 07:41:51]
    ########## EOF - C:\AdwCleaner[S1].txt - [2569 octets] ##########
     
  16. RebootTech

    RebootTech TS Rookie Topic Starter

    ESET found no threats. We good?
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  18. RebootTech

    RebootTech TS Rookie Topic Starter

    I deleted the old restore points, created the new one, deleted all temp files and ran cc cleaner. Unfortunately, I had to return the computer to my friend this morning before I could run the Security Check...wasn't familiar with that one. He simply needed his computer back whether I was done or not. Is it worth asking him to download and run that to get the results? Or is it just to tie a bow on it all?
     
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Just as long as MSE is kept updated with the latest virus definitions, and stays active to protect against malware in the future.

    Topic marked solved. √
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...