Inactive Vista Sirefef.r problem -- rebooting every minute

[Morat20]

Log from OTL: Also, I can't run FSS in regular mode -- again with the "A Device Attached to the System is not functioning" I don't know what's causing that.). I'll run FSS in safe mode, assuming it runs there.

All processes killed
========== OTL ==========
Service SBSDWSCService stopped successfully!
Service SBSDWSCService deleted successfully!
File C:\Program Files\Spybot not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
C:\FRST\Quarantine\{4b093b68-8c67-1628-5af8-f8e50037688c}\U folder moved successfully.
C:\FRST\Quarantine\{4b093b68-8c67-1628-5af8-f8e50037688c}\L folder moved successfully.
C:\FRST\Quarantine\{4b093b68-8c67-1628-5af8-f8e50037688c} folder moved successfully.
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\@ moved successfully.
File C:\Users\M H\AppData\Local\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101 not found.
C:\ProgramData\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101 moved successfully.
ADS C:\Users\HRH Queen Adminia\Desktop\OpenOffice.org 3.2 (en-US) Installation Files:Roxio EMC Stream deleted successfully.
ADS C:\Users\HRH Queen Adminia\Desktop\Admin:Roxio EMC Stream deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\U folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\L folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c} folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Caleb
->Temporary Internet Files folder emptied: 14490389 bytes

User: Default
->Temporary Internet Files folder emptied: 78991 bytes

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: HRH Queen Adminia
->Temporary Internet Files folder emptied: 13159941 bytes

User: M H
->Temporary Internet Files folder emptied: 728556622 bytes

User: Public

User: TEMP

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5510 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 536966 bytes
RecycleBin emptied: 7759385 bytes

Total Files Cleaned = 729.00 mb


[EMPTYJAVA]

User: All Users

User: Caleb

User: Default

User: Default User

User: HRH Queen Adminia

User: M H

User: Public

User: TEMP

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Caleb

User: Default

User: Default User

User: HRH Queen Adminia

User: M H

User: Public

User: TEMP

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 07302012_181344

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Broni]

"Device Attached to the System is not functioning"
You're not using some remote connection?

 

[Morat20]

Nope. Stand-alone laptop. Current problems are: Invalid Windows Registration Key (it got hosed, refuses to take the key that came with it because it's "in use" -- you know, by the laptop. Have to go through Microsoft support to fix it, and haven't yet done that).

Some issue with it not recognizing the laptop battery (that appears in the BIOS startup) which predated the infection and is probably a sign the battery is dead. Apparently a common issue with the Inspiron 1501 -- I was going to try updating the BIOS when everything's done to see if that fixes it, then replace the battery.

A very quick look at the device manager showed no obvious conflicts (just expanded it and looked for red or yellow icons). I have not tried to run any other programs than the ones here -- Malware Bytes was previously installed and worked fine. Same for MSE. The programs I've downloaded and executed off the desktop appear to all be failing.

Here's the log from FSS -- in safe mode, so I suspect it's not what you need:

Farbar Service Scanner Version: 26-07-2012
Ran by HRH Queen Adminia (administrator) on 30-07-2012 at 18:38:01
Running from "C:\Users\HRH Queen Adminia\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is OK.
The ImagePath of Nsi service is OK.
The ServiceDll of Nsi service is OK.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\EnableFirewall value. The value does not exist.
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall value. The value does not exist.


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2011-01-13 07:48] - [2008-01-19 02:34] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Broni]

I still need Security Check log.

We have several registry keys missing.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Double click on mpssvc.reg file and confirm the prompt.
Double click on bfe.reg file and confirm the prompt.
Restart computer.
Post new FSS log.

 

[Morat20]

Gotcha. Will do Security Check, then the .reg stuff, then FSS again in (hopefully) regular mode.

 

[Broni]

 

[Morat20]

Security Check:
Results of screen317's Security Check version 0.99.43
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Lavasoft Ad-Watch Live! Anti-Virus
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
Java(TM) 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4 % Defragment your hard drive soon!
````````````````````End of Log``````````````````````

 

[Morat20]

I still cannot run anything from the standard desktop -- I get "a device attached to the system is not functioning"

 

[Broni]

I've never seen this error before but I suspect it may have something to do with invalid Windows key.
I suggest you call MS and you solve this issue first.

 

[Morat20]

Allright. Will fix that now.

 

[Morat20]

I'm trying to work with Microsoft now to get Vista reenabled, but it shouldn't be in the way. Is it possible that popup is not a Windows direct popup, but malign behavior? Designed to prevent me from running executables? (Although it doesn't seem to stop installed programs -- anything already installed works fine, but double-clicking a .exe from any location doesn't seem to work).

I did not see anything in the Event logs that indicated a problem was filed, nor did I see any conflicts -- but I'm not 100% sure I'm looking in the right place.

 

[Broni]

Let me know when you get Vista re-registered and we'll go from there.

 

[Morat20]

I believe reactivating Vista is a lost cause. The nice people at Microsoft informed me the problem is most likely corrupted or missing files -- which also explains the inability to execute some files. They'd like me to do a System Restore to a week or so back.

If that doesn't work, I'm guessing my best bet is to simply save my critical files to a DVD and reformat the drive and re install everything from scratch.

I'm hesitant to try the system restore without a go-ahead from you, since I'd prefer not to reinfect myself.

 

[Broni]

Give system restore a shot.
If we'll have to start from the scratch afterwards we'll.

 

[Morat20]

Will do. I don't honestly expect it to work. Is this particular infection one that can spread via regular files? Word documents, images, that sort of thing? I suspect I'll be backing up word documents, photographs and video, and then formatting the drive and reinstalling from scratch.

However, I will post tomorrow if the restore worked. As it is, it's restoring now then I'll run a Malware Bytes Full Scan and see if anything pops up.

 

[Broni]

Whatever you backup you have to scan with your AV program before putting anything back.

 

[Morat20]

That's a given. Plan to consolidate everything -- data, favorites list, anything else useful, into a central repository then burn it to DVD. Then format and reinstall Vista, update it, install scanners and whatnot, then scan the DVD before copying any files.

I actually plan to scan the repository before I burn it too.

 

[Broni]

OK

 

[Morat20]

Can you recommend what tools to use to scan a DVD or flash drive to ensure it's clean, given the infection I had and not wanting to spread it to a new install? Is MSE sufficient?

 

[Broni]

Install Panda USB Vaccine, or BitDefender’s USB Immunizer on your computer to protect it from any infected USB device.
Then you can plug anything in and scan it with your AV program.

 

[Morat20]

Will do. I'm pretty close to done with reinstalling the OS on a freshly formatted drive (have the previously infected drive sitting in an external enclosure, unattached). I'll run Panda or BitDefender and then plug it in and scan it with MSE.

I think you can probably mark this one as closed if MSE doesn't pick up anything.

 

[Morat20]

MSE scan on E: (my old main drive, now connected via USB enclosure -- and I used Panda USB vaccine) found three issues.

All Java exploits, all buried in Users\M H\AppData\LocalLow\Sun\Java\Deployment\Cache\6.0\30

MSE cleaned them all. I haven't installed Java on the new OS yet (unless it's part of Vista SP2, IE9 or Office 2007 install -- all I've done is install Vista, patch it to SP2 and then the latest which included IE9, and then install and patch Office 2007. And created restore points. And then finally Panda and then plugged in the old drive via the USB port).

Should I run anything else, or am I good to move data across?

 

[Broni]

As long as you have everything up to date, AV on, firewall on you should be good to go.

 

[Morat20]

Yep. MSE with real-time protection, Windows Firewall up, Panda USB proteection on -- only thing I'm missing is Spybot at this point. Thanks for the help! This way I'm at least saving all the data.

 

[Broni]

I consider Spybot as a tool of the past.