TechSpot

Sirefef restart loop

Solved
By andreyu
Aug 8, 2012
Topic Status:
Not open for further replies.
  1. Hello,

    Like many others here I too have the caught the Sirefef virus (at least that's what MSE says it is before the computer abruptly restarts).

    I have Windows Vista Professional 32.

    I ran farbar, I'm pasting the logs below.

    Thank you for your help, it's greatly appreciated.

    --------------------------------------------------------------------------------

    FRST.TXT

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012
    Ran by SYSTEM at 08-08-2012 09:24:24
    Running from G:\
    Windows Vista (TM) Business (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start [145184 2007-01-09] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [827392 2007-01-12] (Synaptics, Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [163840 2007-05-02] ( Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49152 2005-02-16] (Hewlett-Packard Co.)
    HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-08] (Hewlett-Packard)
    HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [408088 2007-11-09] (Intel Corporation)
    HKLM\...\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
    HKLM\...\Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
    HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-13] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [IDProtect Monitor] "C:\Program Files\Athena\IDProtect Client\Utils\IDProtect Monitor.exe" [323664 2010-12-01] (Athena Smartcard Solutions)
    HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1183744 2007-02-21] (Analog Devices, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated)
    HKLM\...\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-21] (Adobe Systems Incorporated)
    HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Irina\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [6497592 2012-01-03] (Yahoo! Inc.)
    HKU\Irina\...\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe [296248 2010-06-13] (Yahoo! Inc.)
    HKU\Irina\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-04-23] (Google Inc.)
    Winlogon\Notify\DeviceNP: DeviceNP.dll (Hewlett-Packard Limited)
    Winlogon\Notify\ScCertProp: wlnotify.dll [X]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    AppInit_DLLs: APSHook.dll
    Lsa: [Notification Packages] SbHpNp
    scecli
    ASWLNPkg

    ================================ Services (Whitelisted) ==================

    2 ASBroker; C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [74240 2007-02-06] (Cognizance Corporation)
    2 ASChannel; C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll [131584 2006-06-21] (Cognizance Corporation)
    2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [182808 2007-11-09] (Intel Corporation)
    3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    3 FLCDLOCK; C:\Windows\system32\flcdlock.exe [172131 2007-04-30] (Hewlett-Packard Ltd)
    2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.)
    2 hpsrv; C:\Windows\System32\Hpservice.exe [18944 2007-01-04] ()
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" [322120 2003-06-19] (Microsoft Corporation)
    4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 [3004416 2007-11-06] (Microsoft Corporation)
    2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService [540448 2007-05-08] (PDF Complete Inc)
    3 Samsung UPD Service; "C:\Windows\System32\SUPDSvc.exe" [131888 2010-08-08] (Samsung Electronics CO., LTD.)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-02-28] (Skype Technologies)
    2 SWIHPWMI; C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [292384 2006-12-04] (Sierra Wireless Inc.)
    2 UNS; C:\Program Files\Intel\AMT\UNS.exe [1464856 2007-11-09] (Intel Corporation)
    2 VMCService; "C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe" [9216 2010-01-19] (Vodafone)
    2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
    2 HpFkCryptService; "c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
    4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    3 RoxMediaDB9; "c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]
    2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
    2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
    3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

    ========================== Drivers (Whitelisted) =============

    2 altio; \??\C:\Program Files\Altium Designer S09 Viewer\System\Drivers\altio.sys [3200 2008-06-02] (Altium Limited)
    3 ASEDRV3; C:\Windows\System32\drivers\ASEDRV3.sys [51200 2011-04-11] (Athena Smartcard Solutions)
    3 AtiHdmiService; C:\Windows\System32\drivers\AtiHdmi.sys [101904 2009-07-23] (ATI Technologies, Inc.)
    3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [140808 2007-04-10] (AuthenTec, Inc.)
    3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv.sys [30008 2007-04-23] (Hewlett-Packard Development Company L.P.)
    1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
    3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [112640 2009-11-04] (Huawei Technologies Co., Ltd.)
    3 FPABOOT32; C:\Windows\System32\Drivers\usbFPAB2.sys [10752 2009-11-28] (anchor chips)
    3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57672 2009-02-17] (FTDI Ltd.)
    3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [72520 2009-02-17] (FTDI Ltd.)
    0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
    3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [9472 2006-06-28] (Hewlett-Packard Development Company, L.P.)
    3 hwusbfake; C:\Windows\System32\DRIVERS\ewusbfake.sys [101120 2009-11-04] (Huawei Technologies Co., Ltd.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    1 MpKsl4e444637; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{684901F6-8A08-4E5E-80A5-19EA9FB7BB8A}\MpKsl4e444637.sys [29904 2012-08-07] (Microsoft Corporation)
    3 PAC7302; C:\Windows\System32\DRIVERS\PAC7302.SYS [457856 2007-06-14] (PixArt Imaging Inc.)
    3 rismc32; C:\Windows\System32\DRIVERS\rismc32.sys [47616 2006-12-19] (RICOH Company, Ltd.)
    1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [5808 2007-04-26] (SafeBoot International)
    0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [100095 2007-04-26] (SafeBoot International)
    0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [44720 2006-10-09] (SafeBoot N.V.)
    0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [13696 2007-03-29] (SafeBoot International)
    2 Sentinel; C:\Windows\System32\Drivers\SENTINEL.SYS [64512 1998-07-21] ()
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-09-02] (Duplex Secure Ltd.)
    3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [309320 2011-07-09] (BitDefender S.R.L.)
    3 USBFPA32; C:\Windows\System32\Drivers\usbFPAA2.sys [34304 2006-05-15] (Cypress Semiconductor)
    3 ZTEusbnet; C:\Windows\System32\DRIVERS\ZTEusbnet.sys [110080 2008-11-12] (ZTE Corporation)
    3 ZTEusbvoice; C:\Windows\System32\DRIVERS\ZTEusbvoice.sys [104960 2008-11-12] (ZTE Incorporated)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-07 21:34 - 2012-08-07 21:34 - 00000726 ____A C:\Users\Irina\Desktop\stop.lnk
    2012-08-07 12:42 - 2012-08-07 12:43 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-07 12:41 - 2012-08-07 12:41 - 10288512 ____A (Microsoft Corporation) C:\Users\Irina\Desktop\mseinstall(1).exe
    2012-08-07 09:52 - 2012-08-07 09:52 - 00000000 ____D C:\Users\Irina\AppData\Roaming\Malwarebytes
    2012-08-07 09:52 - 2012-08-07 09:52 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-07 09:51 - 2012-08-07 09:51 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Irina\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-07 09:07 - 2012-08-07 09:09 - 00000000 ____D C:\Users\All Users\036DFF86004E811B005149102F3B6FDA
    2012-08-07 03:16 - 2012-08-07 03:16 - 00035840 ____A C:\Users\Irina\Desktop\a12_3620872_1.xls
    2012-07-30 07:04 - 2012-08-07 05:32 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForIrina.job
    2012-07-23 10:14 - 2012-08-02 06:37 - 00000132 ____A C:\Users\Irina\AppData\Roaming\Adobe BMP Format CS5 Prefs
    2012-07-18 00:05 - 2012-07-18 00:05 - 01098385 ____A C:\Users\Irina\Desktop\asesoft_17.07.2012.xlsx


    ============ 3 Months Modified Files ========================

    2012-08-07 22:11 - 2011-05-14 23:36 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-07 22:11 - 2010-02-08 01:01 - 00001092 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-07 22:10 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-07 22:10 - 2006-11-02 04:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 22:10 - 2006-11-02 04:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 21:57 - 2006-11-02 04:52 - 00147586 ____A C:\Windows\setupact.log
    2012-08-07 21:34 - 2012-08-07 21:34 - 00000726 ____A C:\Users\Irina\Desktop\stop.lnk
    2012-08-07 12:43 - 2011-03-15 03:16 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-07 12:43 - 2008-02-08 16:20 - 01689360 ____A C:\Windows\WindowsUpdate.log
    2012-08-07 12:42 - 2006-11-02 02:33 - 00795960 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-07 12:41 - 2012-08-07 12:41 - 10288512 ____A (Microsoft Corporation) C:\Users\Irina\Desktop\mseinstall(1).exe
    2012-08-07 12:26 - 2006-11-02 05:00 - 00162122 ____A C:\Windows\PFRO.log
    2012-08-07 09:51 - 2012-08-07 09:51 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Irina\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-07 09:45 - 2006-11-09 13:07 - 00002140 ____A C:\Windows\bthservsdp.dat
    2012-08-07 09:45 - 2006-11-02 05:01 - 00032644 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-07 08:54 - 2010-02-08 01:01 - 00001096 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-07 05:32 - 2012-07-30 07:04 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForIrina.job
    2012-08-07 03:16 - 2012-08-07 03:16 - 00035840 ____A C:\Users\Irina\Desktop\a12_3620872_1.xls
    2012-08-06 07:32 - 2011-05-30 07:09 - 00000052 ____A C:\Windows\System32\DOErrors.log
    2012-08-05 07:51 - 2006-11-02 02:23 - 00000407 ____A C:\Windows\win.ini
    2012-08-05 03:34 - 2011-12-23 06:59 - 00002687 ____A C:\Users\Public\Desktop\Vodafone Mobile Connect.lnk
    2012-08-03 03:50 - 2011-09-08 02:01 - 00001971 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-08-02 06:37 - 2012-07-23 10:14 - 00000132 ____A C:\Users\Irina\AppData\Roaming\Adobe BMP Format CS5 Prefs
    2012-08-01 22:20 - 2012-05-11 07:33 - 00000049 ____A C:\Windows\wpd99.drv
    2012-07-30 06:32 - 2010-09-19 09:14 - 00001356 ____A C:\Users\Irina\AppData\Local\d3d9caps.dat
    2012-07-23 08:50 - 2012-03-26 07:43 - 00003121 ____A C:\Windows\System32\responseBody.xml
    2012-07-23 08:50 - 2012-03-26 07:43 - 00002092 ____A C:\Windows\System32\requestBody.xml
    2012-07-23 08:50 - 2012-03-26 07:43 - 00000847 ____A C:\Windows\System32\request.gzip
    2012-07-18 02:43 - 2012-03-27 23:43 - 00002377 ____A C:\Users\Public\Desktop\Skype.lnk
    2012-07-18 00:05 - 2012-07-18 00:05 - 01098385 ____A C:\Users\Irina\Desktop\asesoft_17.07.2012.xlsx
    2012-07-16 22:00 - 2012-03-06 08:30 - 00000289 ____A C:\Windows\WINCMD.INI
    2012-06-27 01:40 - 2012-06-27 01:01 - 286285600 ____A C:\Users\Irina\Desktop\filmulete.zip
    2012-06-02 23:47 - 2012-06-02 23:47 - 00000146 ____A C:\Windows\capture.INI
    2012-06-02 14:19 - 2012-06-20 20:06 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 20:06 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-20 20:06 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 20:06 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 20:06 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-20 20:06 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-20 20:06 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 04:19 - 2012-06-20 20:06 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 04:12 - 2012-06-20 20:06 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 23:37 - 2008-02-18 06:03 - 00011264 ____A C:\Users\Irina\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-31 11:52 - 2010-12-21 07:54 - 00000000 ____A C:\Users\Irina\AppData\Local\FnF4.txt
    2012-05-24 10:09 - 2012-05-24 10:09 - 00028160 ____A C:\Users\Irina\Documents\buget proiect assist1.xls
    2012-05-11 07:32 - 2012-05-11 07:32 - 00000028 ____A C:\Windows\pdf995.ini

    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@

    ZeroAccess:
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 27%
    Total physical RAM: 2014.69 MB
    Available physical RAM: 1467.41 MB
    Total Pagefile: 1748.77 MB
    Available Pagefile: 1579.07 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.33 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:102.39 GB) (Free:25.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (HP_RECOVERY) (Fixed) (Total:7.84 GB) (Free:0.72 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (D) (Fixed) (Total:1.55 GB) (Free:1.21 GB) NTFS
    5 Drive g: () (Removable) (Total:1.86 GB) (Free:0.36 GB) FAT
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 112 GB 4568 KB
    Disk 1 Online 1908 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 102 GB 32 KB
    Partition 2 Primary 8028 MB 102 GB
    Partition 3 Primary 1589 MB 110 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 C NTFS Partition 102 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D HP_RECOVERY NTFS Partition 8028 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E D NTFS Partition 1589 MB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    * Partition 1 Primary 1908 MB 0 B

    ==================================================================================

    Disk: 1
    There is no partition selected.

    There is no partition selected.
    Please select a partition and try again.

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-07 12:33

    ======================= End Of Log ==========================

    SEARCH.TXT

    Farbar Recovery Scan Tool Version: 08-08-2012
    Ran by SYSTEM at 2012-08-08 09:26:44
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2011-05-14 23:36] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2009-03-04 10:36] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2011-05-14 23:36] - [2012-08-07 22:11] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

    === End Of Search ===
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  3. andreyu

    andreyu Newcomer, in training Topic Starter

    Hi, thank you very much for your help.

    Everything seems fine now.

    Here's the log:


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012
    Ran by SYSTEM at 2012-08-08 16:06:38 Run:1
    Running from G:\

    ==============================================

    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Users\Irina\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work! Back to Normal Mode, please...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  5. andreyu

    andreyu Newcomer, in training Topic Starter

    I ran Combofix, you can find the log below.
    It said that MSE was enabled although I had disabled the realtime protection (I couldn't find a way to completely close it other than by uninstalling it). I didn't notice anything wrong during the combofix scan though.

    Thanks again for the help.

    LOG:

    ComboFix 12-08-09.01 - Irina 09.08.2012 19:12:19.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1250.40.1033.18.2015.872 [GMT 3:00]
    Running from: c:\users\Irina\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    ..
    ..
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    ..
    ..
    c:\programdata\ntuser.dat
    c:\windows\system32\html
    c:\windows\system32\html\calendar.html
    c:\windows\system32\html\calendarbottom.html
    c:\windows\system32\html\calendartop.html
    c:\windows\system32\html\crystalexportdialog.htm
    c:\windows\system32\html\crystalprinthost.html
    c:\windows\system32\images
    c:\windows\system32\images\toolbar\calendar.gif
    c:\windows\system32\images\toolbar\crlogo.gif
    c:\windows\system32\images\toolbar\export.gif
    c:\windows\system32\images\toolbar\export_over.gif
    c:\windows\system32\images\toolbar\exportd.gif
    c:\windows\system32\images\toolbar\First.gif
    c:\windows\system32\images\toolbar\first_over.gif
    c:\windows\system32\images\toolbar\Firstd.gif
    c:\windows\system32\images\toolbar\gotopage.gif
    c:\windows\system32\images\toolbar\gotopage_over.gif
    c:\windows\system32\images\toolbar\gotopaged.gif
    c:\windows\system32\images\toolbar\grouptree.gif
    c:\windows\system32\images\toolbar\grouptree_over.gif
    c:\windows\system32\images\toolbar\grouptreed.gif
    c:\windows\system32\images\toolbar\grouptreepressed.gif
    c:\windows\system32\images\toolbar\Last.gif
    c:\windows\system32\images\toolbar\last_over.gif
    c:\windows\system32\images\toolbar\Lastd.gif
    c:\windows\system32\images\toolbar\Next.gif
    c:\windows\system32\images\toolbar\next_over.gif
    c:\windows\system32\images\toolbar\Nextd.gif
    c:\windows\system32\images\toolbar\Prev.gif
    c:\windows\system32\images\toolbar\prev_over.gif
    c:\windows\system32\images\toolbar\Prevd.gif
    c:\windows\system32\images\toolbar\print.gif
    c:\windows\system32\images\toolbar\print_over.gif
    c:\windows\system32\images\toolbar\printd.gif
    c:\windows\system32\images\toolbar\Refresh.gif
    c:\windows\system32\images\toolbar\refresh_over.gif
    c:\windows\system32\images\toolbar\refreshd.gif
    c:\windows\system32\images\toolbar\Search.gif
    c:\windows\system32\images\toolbar\search_over.gif
    c:\windows\system32\images\toolbar\searchd.gif
    c:\windows\system32\images\toolbar\up.gif
    c:\windows\system32\images\toolbar\up_over.gif
    c:\windows\system32\images\toolbar\upd.gif
    c:\windows\system32\images\tree\begindots.gif
    c:\windows\system32\images\tree\beginminus.gif
    c:\windows\system32\images\tree\beginplus.gif
    c:\windows\system32\images\tree\blank.gif
    c:\windows\system32\images\tree\blankdots.gif
    c:\windows\system32\images\tree\dots.gif
    c:\windows\system32\images\tree\lastdots.gif
    c:\windows\system32\images\tree\lastminus.gif
    c:\windows\system32\images\tree\lastplus.gif
    c:\windows\system32\images\tree\Magnify.gif
    c:\windows\system32\images\tree\minus.gif
    c:\windows\system32\images\tree\minusbox.gif
    c:\windows\system32\images\tree\plus.gif
    c:\windows\system32\images\tree\plusbox.gif
    c:\windows\system32\images\tree\singleminus.gif
    c:\windows\system32\images\tree\singleplus.gif
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    ..
    ..
    ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
    ..
    ..
    2012-08-09 17:13 . 2012-08-09 17:13 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{684901F6-8A08-4E5E-80A5-19EA9FB7BB8A}\offreg.dll
    2012-08-09 16:27 . 2012-08-09 16:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-09 16:27 . 2012-08-09 16:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-08 16:54 . 2012-08-08 17:17 -------- d-----w- C:\FRST
    2012-08-07 20:44 . 2012-02-09 11:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11B576A1-A077-4017-B9C0-23A2D39E7178}\gapaengine.dll
    2012-08-07 20:43 . 2012-07-15 23:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{684901F6-8A08-4E5E-80A5-19EA9FB7BB8A}\mpengine.dll
    2012-08-07 20:42 . 2012-08-07 20:43 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-07 20:31 . 2012-08-07 20:31 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
    2012-08-07 20:31 . 2012-08-07 20:31 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
    2012-08-07 17:52 . 2012-08-07 17:52 -------- d-----w- c:\users\Irina\AppData\Roaming\Malwarebytes
    2012-08-07 17:52 . 2012-08-07 17:52 -------- d-----w- c:\programdata\Malwarebytes
    2012-08-07 17:07 . 2012-08-07 17:09 -------- d-----w- c:\programdata\036DFF86004E811B005149102F3B6FDA
    ..
    ..
    ..
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    ..
    2012-06-02 22:19 . 2012-06-21 04:06 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 04:06 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 04:06 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 04:06 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 04:06 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 04:06 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 04:06 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 12:19 . 2012-06-21 04:06 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 12:12 . 2012-06-21 04:06 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-08-07 20:31 . 2011-05-06 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    ..
    ..
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    ..
    ..
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    ..
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-01-12 1517368]
    ..
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    ..
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408]
    ..
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-11-09 408088]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-13 98304]
    "IDProtect Monitor"="c:\program files\Athena\IDProtect Client\Utils\IDProtect Monitor.exe" [2010-12-02 323664]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
    2007-04-30 15:19 49152 ----a-w- c:\windows\System32\DeviceNP.dll
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\APSHook.dll
    ..
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ SbHpNp scecli
    ..
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
    2010-01-19 13:24 2499584 ----a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
    2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2004-11-02 18:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2012-02-29 05:55 17148552 ----a-r- c:\program files\Skype\Phone\Skype.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-21 13:14 1183744 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-04-24 05:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "CognizanceTS"=rundll32.exe c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-661421830-3107423046-2506441718-1003]
    "EnableNotificationsRef"=dword:00000001
    ..
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    ..
    ..
    --- Other Services/Drivers In Memory ---
    ..
    *NewlyCreated* - WS2IFSL
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    ..
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    ..
    Contents of the 'Scheduled Tasks' folder
    ..
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 09:00]
    ..
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 09:00]
    ..
    2012-08-07 c:\windows\Tasks\HPCeeScheduleForIrina.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-07 18:38]
    ..
    ..
    ------- Supplementary Scan -------
    ..
    uStart Page = about:blank
    mStart Page = hxxp://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Irina\AppData\Roaming\Mozilla\Firefox\Profiles\o339tvic.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ..
    ..
    **************************************************************************
    ..
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-09 20:15
    Windows 6.0.6002 Service Pack 2 NTFS
    ..
    scanning hidden processes ...
    ..
    scanning hidden autostart entries ...
    ..
    scanning hidden files ...
    ..
    scan completed successfully
    hidden files: 0
    ..
    **************************************************************************
    ..
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    ..
    --------------------- LOCKED REGISTRY KEYS ---------------------
    ..
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    ..
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    ..
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    ..
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    ..
    --------------------- DLLs Loaded Under Running Processes ---------------------
    ..
    - - - - - - - > 'lsass.exe'(712)
    c:\windows\SbHpNp.dll
    ..
    - - - - - - - > 'Explorer.exe'(1460)
    c:\windows\system32\APSHook.dll
    ..
    ------------------------ Other Running Processes ------------------------
    ..
    c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\atiesrxx.exe
    c:\windows\system32\Hpservice.exe
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\AEADISRV.EXE
    c:\program files\Intel\AMT\atchksrv.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Intel\AMT\LMS.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\PDF Complete\pdfsvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Intel\AMT\UNS.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
    c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
    c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\program files\Microsoft Security Client\MpCmdRun.exe
    c:\program files\Microsoft Security Client\MpCmdRun.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\RacAgent.exe
    ..
    **************************************************************************
    ..
    Completion time: 2012-08-09 20:29:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-09 17:29
    ..
    Pre-Run: 32.708.685.824 bytes free
    Post-Run: 33.658.933.248 bytes free
    ..
    - - End Of File - - 92EF4C768AF19BD6CECF15308DAE88A8
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job!

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  7. andreyu

    andreyu Newcomer, in training Topic Starter

    Hi, here's the new log:

    ------------------------------------

    ComboFix 12-08-14.05 - Irina 15.08.2012 14:24:02.2.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1250.40.1033.18.2015.896 [GMT 3:00]
    Running from: D:\ComboFix.exe
    Command switches used :: D:\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-15 11:33 . 2012-08-15 11:33--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-08-15 11:33 . 2012-08-15 11:33--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-15 11:14 . 2012-08-15 11:14--------d-----w-c:\programdata\McAfee Security Scan
    2012-08-15 11:14 . 2012-08-15 11:14--------d-----w-c:\programdata\McAfee
    2012-08-15 11:14 . 2012-08-15 11:14--------d-----w-c:\program files\McAfee Security Scan
    2012-08-15 11:13 . 2012-08-15 11:13426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-15 04:23 . 2012-08-15 04:2329904----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DE02D49-31DC-404C-95C5-3229C2B8AE84}\MpKsld9a55b6c.sys
    2012-08-15 04:22 . 2012-08-15 04:2256200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DE02D49-31DC-404C-95C5-3229C2B8AE84}\offreg.dll
    2012-08-13 12:31 . 2012-07-15 23:416891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DE02D49-31DC-404C-95C5-3229C2B8AE84}\mpengine.dll
    2012-08-09 17:42 . 2012-07-15 23:416891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-08 16:54 . 2012-08-08 17:17--------d-----w-C:\FRST
    2012-08-07 20:44 . 2012-02-09 11:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11B576A1-A077-4017-B9C0-23A2D39E7178}\gapaengine.dll
    2012-08-07 20:42 . 2012-08-07 20:43--------d-----w-c:\program files\Microsoft Security Client
    2012-08-07 20:31 . 2012-07-14 00:16770384----a-w-c:\program files\Mozilla Firefox\msvcr100.dll
    2012-08-07 20:31 . 2012-07-14 00:16421200----a-w-c:\program files\Mozilla Firefox\msvcp100.dll
    2012-08-07 17:52 . 2012-08-07 17:52--------d-----w-c:\users\Irina\AppData\Roaming\Malwarebytes
    2012-08-07 17:52 . 2012-08-07 17:52--------d-----w-c:\programdata\Malwarebytes
    2012-08-07 17:07 . 2012-08-07 17:09--------d-----w-c:\programdata\036DFF86004E811B005149102F3B6FDA
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-15 11:13 . 2012-01-26 09:5370344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-21 04:0653784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 04:0645080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 04:0635864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 04:06577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 04:061933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 04:062422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 04:0688576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 12:19 . 2012-06-21 04:06171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 12:12 . 2012-06-21 04:0633792----a-w-c:\windows\system32\wuapp.exe
    2012-07-14 00:17 . 2011-05-06 15:56136672----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-01-12 1517368]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-24 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-11-09 408088]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-13 98304]
    "IDProtect Monitor"="c:\program files\Athena\IDProtect Client\Utils\IDProtect Monitor.exe" [2010-12-02 323664]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
    2007-04-30 15:1949152----a-w-c:\windows\System32\DeviceNP.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\APSHook.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification PackagesREG_MULTI_SZ SbHpNp scecli
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 09:4431072----a-w-c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
    2010-01-19 13:242499584----a-w-c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
    2008-11-06 17:23772096----a-w-c:\program files\MP4 Player\Mp4Player.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2004-11-02 18:2432768----a-w-c:\program files\CyberLink\PowerDVD\PDVDServ.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2012-02-29 05:5517148552----a-r-c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-02-21 13:141183744----a-w-c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-04-24 05:4239408----a-w-c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "CognizanceTS"=rundll32.exe c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-661421830-3107423046-2506441718-1003]
    "EnableNotificationsRef"=dword:00000001
    .
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLD9A55B6C
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcsREG_MULTI_SZ BthServ
    CognizanceREG_MULTI_SZ ASBroker ASChannel
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-04-19 20:23452136----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 11:14]
    .
    2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 09:00]
    .
    2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 09:00]
    .
    2012-08-15 c:\windows\Tasks\HPCeeScheduleForIrina.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-07 18:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Irina\AppData\Roaming\Mozilla\Firefox\Profiles\o339tvic.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-15 14:37
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    [0] 0x2CCA2EB3
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\users\Irina\AppData\Local\Temp\catchme.dll 53248 bytes executable
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(712)
    c:\windows\SbHpNp.dll
    .
    - - - - - - - > 'Explorer.exe'(2184)
    c:\windows\system32\APSHook.dll
    .
    Completion time: 2012-08-15 14:41:20
    ComboFix-quarantined-files.txt 2012-08-15 11:41
    ComboFix2.txt 2012-08-09 17:29
    .
    Pre-Run: 28.437.311.488 bytes free
    Post-Run: 28.602.093.568 bytes free
    .
    - - End Of File - - 4D807CD8B1EB24BB4F1025CADA24BCCB
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  10. andreyu

    andreyu Newcomer, in training Topic Starter

    Hello, sorry for the lack of reply.

    I had to leave on business and didn't have access to that computer.
    Tomorrow or the day after tomorrow I should be back and be able to follow your latest instructions.

    Thanks again for your help, and sorry for the trouble.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie. Look forward to see you then!
     
  12. andreyu

    andreyu Newcomer, in training Topic Starter

    Hi, I've attached the log from TDSS.

    Attached Files:

  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download aswMBR from here

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

    [​IMG]

    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
  14. andreyu

    andreyu Newcomer, in training Topic Starter

    Here's the log from aswMBR:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-22 20:10:01
    -----------------------------
    20:10:01.203 OS Version: Windows 6.0.6002 Service Pack 2
    20:10:01.203 Number of processors: 2 586 0xF0B
    20:10:01.204 ComputerName: PROSYS UserName: Irina
    20:10:31.945 Initialize success
    20:10:45.245 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-8
    20:10:45.248 Disk 0 Vendor: Hitachi_HTS722012K9SA00 DCCOC60A Size: 114473MB BusType: 3
    20:10:45.257 Disk 0 MBR read successfully
    20:10:45.260 Disk 0 MBR scan
    20:10:45.262 Disk 0 unknown MBR code
    20:10:45.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104850 MB offset 63
    20:10:45.286 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8028 MB offset 214734848
    20:10:45.298 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1589 MB offset 231184384
    20:10:45.303 Disk 0 scanning sectors +234438656
    20:10:45.359 Disk 0 scanning C:\Windows\system32\drivers
    20:10:59.288 Service scanning
    20:11:19.373 Service MpKsla43fb658 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{676ECC40-6846-4BF3-AC52-A97F994352A0}\MpKsla43fb658.sys **LOCKED** 32
    20:11:32.406 Service SafeBoot C:\Windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
    20:11:38.771 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    20:12:10.952 Modules scanning
    20:12:31.959 Disk 0 trace - called modules:
    20:12:32.007 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll >>UNKNOWN [0x85ff01f8]<<
    20:12:32.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a1cac8]
    20:12:32.021 3 CLASSPNP.SYS[895c28b3] -> nt!IofCallDriver -> [0x86816660]
    20:12:32.027 5 hpdskflt.sys[8957ceb7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-8[0x860e8b98]
    20:12:32.034 \Driver\atapi[0x860d37a8] -> IRP_MJ_CREATE -> 0x85ff01f8
    20:12:32.041 Scan finished successfully
    20:13:43.568 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
    20:13:43.577 The log file has been saved successfully to "C:\aswMBR.txt"
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We need to fix the Master Boot Record using aswMBR now.

    • Double click aswMBR.exe to run it like before
    • Once the scan finishes click FixMBR to remove the infection as illustrated below

    [​IMG]


    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
  16. andreyu

    andreyu Newcomer, in training Topic Starter

    Here's the new log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-22 21:11:42
    -----------------------------
    21:11:42.233 OS Version: Windows 6.0.6002 Service Pack 2
    21:11:42.234 Number of processors: 2 586 0xF0B
    21:11:42.234 ComputerName: PROSYS UserName: Irina
    21:12:19.949 Initialize success
    21:12:31.172 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-8
    21:12:31.176 Disk 0 Vendor: Hitachi_HTS722012K9SA00 DCCOC60A Size: 114473MB BusType: 3
    21:12:31.192 Disk 0 MBR read successfully
    21:12:31.197 Disk 0 MBR scan
    21:12:31.202 Disk 0 unknown MBR code
    21:12:31.206 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104850 MB offset 63
    21:12:31.229 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8028 MB offset 214734848
    21:12:31.308 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1589 MB offset 231184384
    21:12:31.324 Disk 0 scanning sectors +234438656
    21:12:31.368 Disk 0 scanning C:\Windows\system32\drivers
    21:12:45.706 Service scanning
    21:12:58.018 Service MpKsl30598a10 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{676ECC40-6846-4BF3-AC52-A97F994352A0}\MpKsl30598a10.sys **LOCKED** 32
    21:13:03.900 Service SafeBoot C:\Windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
    21:13:05.215 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    21:13:11.264 Modules scanning
    21:13:41.737 Disk 0 trace - called modules:
    21:13:41.769 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll >>UNKNOWN [0x85feb1f8]<<
    21:13:41.785 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b0bac8]
    21:13:41.793 3 CLASSPNP.SYS[895cf8b3] -> nt!IofCallDriver -> [0x86a08988]
    21:13:41.800 5 hpdskflt.sys[89589eb7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-8[0x860e8b98]
    21:13:41.808 \Driver\atapi[0x860c7a40] -> IRP_MJ_CREATE -> 0x85feb1f8
    21:13:41.816 Scan finished successfully
    21:14:25.137 Verifying
    21:14:35.166 Disk 0 Windows 600 MBR fixed successfully
    21:16:51.831 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
    21:16:51.842 The log file has been saved successfully to "C:\aswMBR.txt"
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great... now to verify it is clean, run it as normal like you did the first time, and post a fresh log, please.
  18. andreyu

    andreyu Newcomer, in training Topic Starter

    Here's the new log....doesn't seem to have worked :(

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-23 13:54:38
    -----------------------------
    13:54:38.905 OS Version: Windows 6.0.6002 Service Pack 2
    13:54:38.905 Number of processors: 2 586 0xF0B
    13:54:38.906 ComputerName: PROSYS UserName: Irina
    13:55:06.612 Initialize success
    13:55:13.650 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-8
    13:55:13.653 Disk 0 Vendor: Hitachi_HTS722012K9SA00 DCCOC60A Size: 114473MB BusType: 3
    13:55:13.661 Disk 0 MBR read successfully
    13:55:13.666 Disk 0 MBR scan
    13:55:13.669 Disk 0 Windows VISTA default MBR code
    13:55:13.672 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104850 MB offset 63
    13:55:13.698 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8028 MB offset 214734848
    13:55:13.710 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1589 MB offset 231184384
    13:55:13.716 Disk 0 scanning sectors +234438656
    13:55:13.777 Disk 0 scanning C:\Windows\system32\drivers
    13:55:23.483 Service scanning
    13:55:34.290 Service MpKsl3837d5c0 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{676ECC40-6846-4BF3-AC52-A97F994352A0}\MpKsl3837d5c0.sys **LOCKED** 32
    13:55:40.186 Service SafeBoot C:\Windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
    13:55:41.612 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    13:55:48.152 Modules scanning
    13:56:03.330 Disk 0 trace - called modules:
    13:56:03.381 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll >>UNKNOWN [0x85feb1f8]<<
    13:56:03.389 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869462f8]
    13:56:03.394 3 CLASSPNP.SYS[895c58b3] -> nt!IofCallDriver -> [0x86946c48]
    13:56:03.399 5 hpdskflt.sys[8957feb7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-8[0x860f8b98]
    13:56:03.406 \Driver\atapi[0x860b0c48] -> IRP_MJ_CREATE -> 0x85feb1f8
    13:56:03.412 Scan finished successfully
    13:57:13.259 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
    13:57:13.318 The log file has been saved successfully to "C:\aswMBR.txt"
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Appears fine. Good job!

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  20. andreyu

    andreyu Newcomer, in training Topic Starter

    Here's the ESET log:

    C:\FRST\Quarantine\services.exeWin32/Sirefef.FB.Gen trojandeleted - quarantined
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@Win32/Conedex.I trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\nWin32/Sirefef.EV trojancleaned by deleting - quarantined
    C:\Program Files\MP4 Player\Mp4Player.exeWin32/Ivefound applicationcleaned by deleting - quarantined
    C:\Users\Irina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\S5CWZPY9\index4[1].htmHTML/ScrInject.B.Gen virusdeleted - quarantined
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  22. andreyu

    andreyu Newcomer, in training Topic Starter

    No, everything seems fine now, I haven't had any more issues.

    Thanks again for your help, I really appreciate it.
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Almost done then. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
  24. andreyu

    andreyu Newcomer, in training Topic Starter

    I'll be out of town again, so if it's ok with you I'll complete these final tasks on Monday.
    Have a good week-end!
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie. ;)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.