Solved Sirefef.R

[RichH]

Microsoft Safety Scanner found Sirefef.R Trojan in C:\Windows\system32\services.exe, but it can't remove it.

I am using Vista SP2, 32bit. I use Security Essentials but it didn't stop this virus. The virus stopped all security oriented services so I have no Windows Firewall, Security Center, or Security Essentials. I get advertising redirects when browsing with Chrome.

Thanks in advance for helping me out.
Rich

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=========================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

I'll expect two logs:
- FRST.txt
- Search.txt

 

[RichH]

Thanks for the warm welcome, Broni!!

FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 07:43:49
Running from G:\
Windows Vista (TM) Home Basic Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-05-24] (Lenovo Group Limited)
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r [61728 2009-04-15] (Lenovo Group Limited)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [185896 2010-12-04] (RealNetworks, Inc.)
HKLM\...\Run: [RoxioDragToDisc] "C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [1116920 2007-03-13] (Roxio)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor [644384 2009-01-14] (Lenovo Group Limited)
HKLM\...\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup [367128 2008-05-29] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [145944 2008-06-16] (Intel Corporation)
HKLM\...\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start [49976 2009-05-27] ()
HKLM\...\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [165208 2008-08-31] (Lenovo Group Limited)
HKLM\...\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe [124248 2008-08-31] (Lenovo Group Limited)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1191936 2009-02-11] (Intel(R) Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [150040 2008-06-16] (Intel Corporation)
HKLM\...\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe [33304 2009-02-22] (Intel Corporation)
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [182808 2008-11-03] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [170520 2008-06-16] (Intel Corporation)
HKLM\...\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [242976 2008-06-04] (Lenovo Group Ltd.)
HKLM\...\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent [3077432 2008-06-25] (Lenovo Group Limited)
HKLM\...\Run: [CreateLMBCShortCut] "C:\Program Files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [40960 2009-04-13] ()
HKLM\...\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2516296 2010-03-24] (CANON INC.)
HKLM\...\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog [214576 2009-01-14] ()
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-14] (Adobe Systems Incorporated)
HKLM\...\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe [177440 2009-04-16] (Lenovo)
HKLM\...\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [435488 2009-04-16] (Lenovo)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Rich\...\Run: [Google Update] "C:\Users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe" /c [133104 2009-06-30] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.100.1
Tcpip\..\Interfaces\{3A2487DF-4FC8-4633-91AA-B7B0E8442563}: [NameServer]0.0.0.0
Lsa: [Notification Packages] scecli
ACGina
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
2 FlipShare Service; "C:\Program Files\Flip Video\FlipShare\FlipShareService.exe" [460144 2011-05-06] ()
2 FlipShareServer; "C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2011-05-06] ()
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [204800 2009-02-11] ()
2 SUService; "C:\Program Files\Lenovo\System Update\SUService.exe" [28672 2009-05-15] (Lenovo Group Limited)
2 TSSCoreService; "C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe" [779576 2008-06-13] (Lenovo)
2 TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [520192 2008-05-24] ()
2 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [950272 2008-05-24] (Lenovo Group Limited)
2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2008-05-29] (Intel Corporation)
3 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x]
4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
2 ThinkVantage Registry Monitor Service; "c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe" [x]
2 TVT Scheduler; "c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [x]

========================== Drivers (Whitelisted) =============

3 DiracResearchProcessor_WDM; C:\Windows\System32\DRIVERS\diracap.sys [38048 2011-05-12] (Dirac Research AB)
3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [24576 2010-04-05] (HTC1124 Inc)
3 MUXMP; C:\Windows\System32\DRIVERS\mux.sys [29232 2009-02-09] (Intel© Corporation)
3 MUXP; C:\Windows\System32\DRIVERS\mux.sys [29232 2009-02-09] (Intel© Corporation)
3 pae_1394; C:\Windows\System32\Drivers\pae_1394.sys [137088 2010-02-03] (Archwave AG)
3 pae_avs; C:\Windows\System32\Drivers\pae_avs.sys [52608 2010-02-03] (Archwave AG)
3 pdcv2; C:\Windows\System32\DRIVERS\pdcv2.sys [16128 2003-09-22] (DEQX)
3 ROCKEYNT; C:\Windows\System32\DRIVERS\Rockey4.sys [22528 2007-03-30] (Feitian Technologies Co., Ltd.)
3 Rockey_USB; C:\Windows\System32\DRIVERS\Rockey4USB.sys [13824 2007-03-30] (Feitian Technologies Co., Ltd.)
3 ALSysIO; \??\C:\Users\Rich\AppData\Local\Temp\ALSysIO.sys [x]
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-25 07:43 - 2012-07-25 07:43 - 00000000 ____D C:\FRST
2012-07-24 12:25 - 2012-07-24 12:30 - 70484512 ____A (Microsoft Corporation) C:\Users\Rich\Desktop\msert.exe
2012-07-24 04:13 - 2012-07-24 04:13 - 00769678 ____A C:\Users\Rich\Desktop\bookmarks_7_24_12.html
2012-07-23 20:55 - 2012-07-24 04:09 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-07-23 20:54 - 2012-07-24 04:08 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-23 20:54 - 2012-07-23 20:54 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2012-07-23 17:31 - 2012-07-23 17:34 - 00000368 ____A C:\rkill.log
2012-07-23 17:29 - 2012-07-23 17:30 - 01008141 ____A C:\Users\Rich\Desktop\rkill.com
2012-07-23 13:42 - 2012-07-23 13:42 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-23 13:40 - 2012-07-23 13:40 - 00000000 ____D C:\Users\Rich\Desktop\tdskiller
2012-07-23 13:04 - 2012-07-23 13:04 - 00002651 ____A C:\Users\Rich\Desktop\HiJackThis.lnk
2012-07-23 13:04 - 2012-07-23 13:04 - 00000000 ____D C:\Program Files\HiJackThis
2012-07-23 10:31 - 2012-07-23 10:58 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-07-23 10:31 - 2012-07-23 10:33 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-07-22 13:27 - 2012-07-22 13:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-22 12:39 - 2012-07-22 12:59 - 00000000 ____D C:\Users\Rich\AppData\Roaming\.minecraft
2012-07-13 05:50 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-13 05:45 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-13 05:45 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-13 05:45 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-13 05:44 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-13 05:44 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-13 05:44 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-09 18:53 - 2012-07-09 18:53 - 00013484 ____A C:\Users\Rich\Documents\localpw.txt
2012-07-07 09:46 - 2012-07-11 16:55 - 00000862 ____A C:\Users\Rich\Desktop\heal.txt
2012-06-27 04:06 - 2012-06-27 04:12 - 00000000 ____D C:\Users\Rich\Desktop\Christopher Album

============ 3 Months Modified Files ========================

2012-07-25 03:38 - 2006-11-02 04:45 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 03:38 - 2006-11-02 04:45 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 03:37 - 2006-11-02 04:58 - 00032554 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-25 03:37 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 03:33 - 2011-06-28 04:29 - 00000442 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{3C1880B2-4DB5-4B71-A925-8296E0027D74}.job
2012-07-25 03:27 - 2009-06-04 20:26 - 07516608 ____A C:\Windows\System32\TPAPSLOG.LOG
2012-07-25 03:26 - 2006-11-02 02:33 - 00769026 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-25 03:25 - 2009-06-14 11:26 - 119420608 ____A C:\Users\Public\Documents\AccConnAdvanced.dat
2012-07-25 03:25 - 2009-06-14 11:26 - 00020636 ____A C:\Users\Public\Documents\ACGinaWinlogon.dat
2012-07-25 03:25 - 2009-06-14 11:26 - 00003488 ____A C:\Users\Public\Documents\AcIpConfig.dat
2012-07-25 03:24 - 2009-06-14 11:26 - 00066989 ____A C:\Users\Public\Documents\AcSvc.dmp
2012-07-25 03:19 - 2010-04-01 13:08 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 03:18 - 2009-06-11 12:17 - 00000252 ____A C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
2012-07-25 03:18 - 2009-06-04 20:12 - 01361465 ____A C:\Windows\WindowsUpdate.log
2012-07-25 02:51 - 2009-06-30 15:05 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003UA.job
2012-07-24 16:32 - 2010-04-01 13:08 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-24 12:30 - 2012-07-24 12:25 - 70484512 ____A (Microsoft Corporation) C:\Users\Rich\Desktop\msert.exe
2012-07-24 10:04 - 2009-06-30 15:05 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003Core.job
2012-07-24 04:13 - 2012-07-24 04:13 - 00769678 ____A C:\Users\Rich\Desktop\bookmarks_7_24_12.html
2012-07-23 18:21 - 2011-01-28 07:28 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-23 17:34 - 2012-07-23 17:31 - 00000368 ____A C:\rkill.log
2012-07-23 17:30 - 2012-07-23 17:29 - 01008141 ____A C:\Users\Rich\Desktop\rkill.com
2012-07-23 13:04 - 2012-07-23 13:04 - 00002651 ____A C:\Users\Rich\Desktop\HiJackThis.lnk
2012-07-16 07:59 - 2009-06-04 20:38 - 00000436 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-07-14 20:10 - 2006-11-02 04:44 - 00437512 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 05:46 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-11 16:55 - 2012-07-07 09:46 - 00000862 ____A C:\Users\Rich\Desktop\heal.txt
2012-07-09 18:53 - 2012-07-09 18:53 - 00013484 ____A C:\Users\Rich\Documents\localpw.txt
2012-07-07 16:14 - 2010-02-15 07:58 - 00001762 ___AH C:\Users\Rich\Documents\Default.rdp
2012-07-03 09:46 - 2011-03-01 14:14 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-13 05:40 - 2012-07-13 05:50 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 17:07 - 2009-07-07 22:22 - 00178176 ____A C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-08 09:47 - 2012-07-13 05:45 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 16:14 - 2012-06-05 16:14 - 00875008 ____A C:\Users\Rich\Desktop\edge.exe
2012-06-05 08:47 - 2012-07-13 05:45 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-13 05:45 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-13 05:44 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 03:39 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 03:39 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 03:39 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 03:39 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 03:39 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 03:39 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 03:39 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 03:39 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-21 03:39 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 16:04 - 2012-07-13 05:44 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-13 05:44 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 06:20 - 2008-01-20 19:02 - 00028456 ____A C:\Windows\PFRO.log
2012-05-31 06:31 - 2012-05-24 09:57 - 00000927 ____A C:\Users\Rich\Desktop\Ewave2ndOrderZilch.csp
2012-05-30 06:33 - 2012-05-22 04:28 - 00000866 ____A C:\Users\Rich\Desktop\Ewave1stOrder.csp
2012-05-24 09:56 - 2012-05-24 09:46 - 00000889 ____A C:\Users\Rich\Desktop\Ewave1stOrderAlternate.csp
2012-05-24 06:02 - 2012-05-22 04:28 - 00000863 ____A C:\Users\Rich\Desktop\Ewave2ndOrder.csp
2012-05-22 04:27 - 2012-05-22 04:05 - 00001011 ____A C:\Users\Rich\Desktop\Ewave1.csp
2012-05-14 22:37 - 2012-06-13 03:54 - 01212416 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-14 22:37 - 2012-06-13 03:54 - 00916992 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 22:37 - 2012-06-13 03:54 - 00105984 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-14 22:35 - 2012-06-13 03:54 - 00206848 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-05-14 22:33 - 2012-06-13 03:54 - 06007808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-14 22:33 - 2012-06-13 03:54 - 00629760 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-05-14 22:33 - 2012-06-13 03:54 - 00611840 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-05-14 22:33 - 2012-06-13 03:54 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-14 22:33 - 2012-06-13 03:54 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-05-14 22:32 - 2012-06-13 03:54 - 01469440 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-14 22:32 - 2012-06-13 03:54 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-05-14 22:32 - 2012-06-13 03:54 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 11111424 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 02000384 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00387584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-05-14 22:31 - 2012-06-13 03:54 - 00055808 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-05-14 21:01 - 2012-06-13 03:54 - 00385024 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-05-14 19:26 - 2012-06-13 03:54 - 00133632 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-14 19:25 - 2012-06-13 03:54 - 00174080 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-05-14 19:24 - 2012-06-13 03:54 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-05-14 19:23 - 2012-06-13 03:54 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-04 12:09 - 2012-05-04 12:09 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-05-04 12:09 - 2011-12-30 14:28 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-05-04 12:09 - 2011-12-30 14:28 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-05-04 12:09 - 2011-12-30 14:28 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-05-04 12:09 - 2010-10-27 20:25 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-05-03 14:30 - 2012-05-03 14:28 - 307440388 ____A C:\Users\Rich\Desktop\SherryDillard1-25-12.flac
2012-05-01 06:03 - 2012-06-13 03:54 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\L
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\L\00000004.@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\L\201d3dde
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\00000004.@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\00000008.@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\000000cb.@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\80000000.@
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\80000032.@

ZeroAccess:
C:\Users\Rich\AppData\Local\{6c28141c-61ac-556c-6e74-a732846a1e65}
C:\Users\Rich\AppData\Local\{6c28141c-61ac-556c-6e74-a732846a1e65}\@
C:\Users\Rich\AppData\Local\{6c28141c-61ac-556c-6e74-a732846a1e65}\L
C:\Users\Rich\AppData\Local\{6c28141c-61ac-556c-6e74-a732846a1e65}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 3015.26 MB
Available physical RAM: 2408.75 MB
Total Pagefile: 2774.9 MB
Available Pagefile: 2596.27 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.31 MB

======================= Partitions =========================

1 Drive c: (SW_Preload) (Fixed) (Total:137.82 GB) (Free:34.62 GB) NTFS
2 Drive e: (Lenovo) (Fixed) (Total:9.77 GB) (Free:4.07 GB) NTFS
4 Drive g: (Lexar) (Removable) (Total:7.33 GB) (Free:7.33 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SERVICEV003) (Fixed) (Total:1.46 GB) (Free:0.69 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 7520 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1500 MB 1024 KB
Partition 2 Primary 138 GB 1501 MB
Partition 3 Primary 10 GB 139 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SERVICEV003 NTFS Partition 1500 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SW_Preload NTFS Partition 138 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Lenovo NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7519 MB 1380 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G Lexar FAT32 Removable 7519 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-24 16:50

======================= End Of Log ==========================



Search.txt:
Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 07:45:37
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-07-05 18:26] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:34] - [2008-01-20 18:34] - 0279040 ____N (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-07-05 18:26] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-07-05 18:26] - [2009-04-10 22:27] - 0279552 ____N (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally....

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[RichH]

Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 14:32:06 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{6c28141c-61ac-556c-6e74-a732846a1e65} moved successfully.
C:\Users\Rich\AppData\Local\{6c28141c-61ac-556c-6e74-a732846a1e65} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



Broni,
When I run ComboFix it gives a warning message:
"ComboFix has detected the following real-time scanners to be active:
antivirus: Microsoft Security Essentials
antispyware: Microsoft Security Essentials
Please disable these before clicking OK"

I had already completely uninstalled Security Essentials a couple days ago using Revo uninstall set to the highest cleaning setting. It completed successfully. I don't see SE running in the "Processes" list of Task Manager. I ran "Appremover" as you suggested and it found my MBAM and SpyBotS&D installations (inactive) but did not find SE.

Should I ignore the CombiFix warning about Security Essentials and continue anyway?
Thanks Broni,
Rich

 

[Broni]

Yes, go ahead.

 

[RichH]

ComboFix.txt

ComboFix 12-07-26.03 - Rich 07/25/2012 15:32:34.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3015.1679 [GMT -4:00]
Running from: c:\users\Rich\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\msvcr71.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
Q:\AUTORUN.INF
S:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 15:43 . 2012-07-25 15:43--------d-----w-C:\FRST
2012-07-24 04:55 . 2012-07-24 12:09--------d-----w-c:\program files\Enigma Software Group
2012-07-24 04:54 . 2012-07-24 12:08--------d-----w-c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-24 04:54 . 2012-07-24 04:54--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2012-07-23 21:42 . 2012-07-23 21:42--------d-----w-C:\TDSSKiller_Quarantine
2012-07-23 21:04 . 2012-07-23 21:04388096----a-r-c:\users\Rich\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-23 18:31 . 2012-07-23 18:58--------d-----w-c:\programdata\Spybot - Search & Destroy
2012-07-23 18:31 . 2012-07-23 18:33--------d-----w-c:\program files\Spybot - Search & Destroy
2012-07-23 18:25 . 2012-07-23 18:25--------d-----w-c:\users\Rich\AppData\Local\ElevatedDiagnostics
2012-07-22 21:27 . 2012-07-22 21:27--------d-sh--w-c:\windows\system32\%APPDATA%
2012-07-22 20:39 . 2012-07-22 20:59--------d-----w-c:\users\Rich\AppData\Roaming\.minecraft
2012-07-13 13:50 . 2012-06-13 13:402047488----a-w-c:\windows\system32\win32k.sys
2012-07-13 13:45 . 2012-06-05 16:47708608----a-w-c:\program files\Common Files\System\ado\msado15.dll
2012-07-13 13:45 . 2012-06-05 16:471401856----a-w-c:\windows\system32\msxml6.dll
2012-07-13 13:45 . 2012-06-05 16:471248768----a-w-c:\windows\system32\msxml3.dll
2012-07-13 13:44 . 2012-06-04 15:26440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-07-13 13:44 . 2012-06-02 00:03204288----a-w-c:\windows\system32\ncrypt.dll
2012-07-13 13:44 . 2012-06-02 00:04278528----a-w-c:\windows\system32\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 17:46 . 2011-03-01 22:1422344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-21 11:3953784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 11:3945080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 11:3935864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 11:39577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 11:391933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 11:392422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 11:3988576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 11:39171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 11:3933792----a-w-c:\windows\system32\wuapp.exe
2012-05-15 06:37 . 2012-06-13 11:54916992----a-w-c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-13 11:5443520----a-w-c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-13 11:541469440----a-w-c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-13 11:54109056----a-w-c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-13 11:5471680----a-w-c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-13 11:54385024----a-w-c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-13 11:54133632----a-w-c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-13 11:541638912----a-w-c:\windows\system32\mshtml.tlb
2012-05-04 20:09 . 2012-05-04 20:09476960----a-w-c:\windows\system32\npdeployJava1.dll
2012-05-04 20:09 . 2010-10-28 04:25472864----a-w-c:\windows\system32\deployJava1.dll
2012-05-01 14:03 . 2012-06-13 11:54180736----a-w-c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-24 206240]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-12-04 185896]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2009-02-23 33304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2009-04-16 177440]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-16 435488]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-5 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office 2000\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 21:08]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 21:08]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003Core.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-30 23:05]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003UA.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-30 23:05]
.
2012-07-16 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
2012-07-25 c:\windows\Tasks\User_Feed_Synchronization-{3C1880B2-4DB5-4B71-A925-8296E0027D74}.job
- c:\windows\system32\msfeedssync.exe [2012-06-13 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{3A2487DF-4FC8-4633-91AA-B7B0E8442563}: NameServer = 0.0.0.0
DPF: Web-Based Email Tools - hxxp://email05.secureserver.net/Download.CAB
FF - ProfilePath - c:\users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\h6onl1c9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LAME for Audacity_is1 - c:\program files\Audacity\Lame for Audacity\unins000.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3651803881-577552454-1164569185-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1022E41E-5986-485A-979E-242FEE380E88}* = 0*]
"AppName"="Roblox.exe"
"Policy"=dword:00000003
"AppPath"="c:\\Users\\Rich\\AppData\\Local\\Roblox\\Versions\\version-3bc3e39888854c74\\"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3456)
c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\iashost.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-07-25 15:45:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-25 19:44
.
Pre-Run: 38,225,571,840 bytes free
Post-Run: 37,692,157,952 bytes free
.
- - End Of File - - E70613497B7E33F81EA2BF66FE3DD615



Changes I noticed:
No more popup advertisements when browsing web.
Windows Firewall is now on.
Windows Update now works.
Security Center service still won't start.

I currently have no virus protection running. Should I reinstall MS Security Essentials now as your instructions recommend, or wait until your green light?

Can you recommend a virus protection will prevent Sirefef variants? Security Essentials did not prevent it.

Thanks,
Rich

 

[Broni]

Combofix looks good.

You can reinstall MSE now.
Keep in mind that there is no perfect security program.
It's mostly about your surfing habits.
I'll post some hints at the end of this topic.

======================================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

===================================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[RichH]

MBAM_log.txt:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.25.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19272
Rich :: RICHLAPTOP [administrator]

7/25/2012 6:53:55 PM
mbam-log-2012-07-25 (18-53-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: File System | P2P
Objects scanned: 187979
Time elapsed: 1 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
I get an error message when I try to run OTL:
"C:\temp\OTL.exe
The directory name is invalid."
I also saved it to Desktop, but same error message.
Thanks,
Rich

 

[RichH]

Thanks for the advice about virus protection. MS SE has always worked fine for me, but I ignored a warning on a forum from Chrome about viewing a linked jpg from a site known for hosting malware, and I think that's when funny things started happening. Next day I let my teenager use the PC for a few hours then it was definitely infected after that. But I think it was me...

Can you advise how to restore Windows Security Center, or should I ask that in the software section?
Thanks
Rich

 

[Broni]

Delete your OTL file, download fresh one, disable your AV program and try again.

 

[Broni]

Can you advise how to restore Windows Security Center, or should I ask that in the software section?

We'll get there.
For now read my previous reply.

 

[RichH]

Thank you Broni.

I deleted and re-downloaded OTL 3 times to different folders. It gave the same error message each time. I have no AV program running yet.

I just tried to re-install MSE, but it gave the same error message that I saw with OTL.

"C:\Users\Rich\Desktop\mseinstall.exe

The directory name is invalid."

 

[RichH]

A reboot fixed the above error, but new errors have appeared. I will try to get it running. Just wanted to post to avoid wasting your time on the previous error message.

 

[Broni]

Are you logged as administrator?
If yes, shut the computer down, wait 1 minute, restart and see how it goes.

 

[Broni]

We posted at the same time

 

[RichH]

My account is administrator. Right click run as Admin does not help. I will try cold shutdown.

As it is now, I am getting a Windows message "OTL has stopped working."

Then another window opens offering
"Files that help describe the problem:
C:\Users\Rich\AppData\Local\temp\WERA3AE.tmp.version.txt
C:\Users\Rich\AppData\Local\temp\WERB29D.tmp.appcompat.txt
C:\Users\Rich\AppData\Local\temp\WERB2CD.tmp.mdmp"

These files disappear when I close the error message dialogs. But I can save the text files while they are visible. One describes OS and computer specs. The other txt file looks to be a list of unregistered executables. The third file *.mdmp is not text.

I will try the cold boot now to see if that helps. Thanks

 

[RichH]

After cold boot I still get the same Windows message.
"OTL has stopped working."

 

[Broni]

Run OTL from safe mode.

 

[RichH]

Running OTL is safe mode returns this message:

"Application Error
Exception EOleSysError in module OTL.exe at 000584A5.
Class not registered."

Security Essentials installed OK. I have the Real Time Protection disabled now to run OTL, but I had these same error messages even before I installed MSE.

 

[Broni]

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[RichH]

All completed successfully. Thanks

checkup.txt:
Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Microsoft Security Essentials
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Java(TM) 6 Update 32
Java(TM) 6 Update 7
Out of date Java installed!
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````
FSS.txt:
Farbar Service Scanner Version: 22-07-2012
Ran by Rich (administrator) on 26-07-2012 at 11:12:03
Running from "C:\Users\Rich\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
ESET.txt
C:\FRST\Quarantine\services.exeWin32/Sirefef.FB.Gen trojandeleted - quarantined
C:\FRST\Quarantine\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\80000000.@a variant of Win32/Sirefef.FA trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{6c28141c-61ac-556c-6e74-a732846a1e65}\U\80000032.@a variant of Win32/Sirefef.FD trojancleaned by deleting - quarantined
Thanks Broni
Rich

 

[Broni]

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

=======================================

We have one corrupted registry key affecting Windows updates.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on bits.reg file and confirm the prompt.
Restart computer.
Post new FSS log.

 

[RichH]

Above steps complete. The computer is running fast now.
Windows Update works now.


FSS.txt
Farbar Service Scanner Version: 26-07-2012
Ran by Rich (administrator) on 26-07-2012 at 18:04:09
Running from "C:\Users\Rich\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.