Removal of Trojans: Sirefef, Small, LameShield, Dropper & Zaccess and Rootkit.0Access

zia16sun · June 12, 2012

This is a continuation of http://forums.malwarebytes.org/index.php?showtopic=110776&hl=&fromsearch=1 which was mistakenly "taken over" by yours truly as a newbie to the forum. For clarity's sake, we continue the removal process here.

I'm in the process of removing five trojans from a friend's computer: Trojan.Sirefef, Trojan.Small, Trojan.LameShield, Trojan.Dropper and Trojan.Zaccess, as well as Rootkit.0Access. I've determined from my forum searches that brought me to the aforementioned forum (to which I inadvertently responded to the very helpful gringo_pr's instructions) that the Trojan.Sirefef, Trojan.Small and Rootkit.0Access are responsible for causing her system to reboot continuously, only staying up for 1-2 minutes at the most before an alert message advising that Windows has encountered a critical error and will reboot in one minute appears.

Continuing

The latest FRST log is as follows:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 06-06-2012 04

Ran by SYSTEM at 07-06-2012 15:50:49

Running from E:\

Windows Vista ™ Home Basic Service Pack 1 (X86) OS Language: English(US)

The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [249856 2009-06-19] (Alps Electric Co., Ltd.)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [458844 2009-07-31] (IDT, Inc.)

HKLM\...\Run: [igfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-02-26] (Intel Corporation)

HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [173592 2009-02-26] (Intel Corporation)

HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [150552 2009-02-26] (Intel Corporation)

HKLM\...\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)

HKLM\...\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [657920 2009-11-02] (Dell Inc.)

HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [147328 2010-01-05] (Wave Systems Corp.)

HKLM\...\Run: [uSCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-01-05] (Broadcom Corporation)

HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981680 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)

HKU\Crys\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)

HKU\Crys\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Crys\...\Policies\system: [LogonHoursAction] 2

HKU\Crys\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

HKU\Guest\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Michael\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-14] (Google Inc.)

HKU\Michael\...\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent [x]

HKU\Michael\...\Policies\system: [LogonHoursAction] 2

HKU\Michael\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 208.67.222.222

Lsa: [Authentication Packages] msv1_0

wvauth

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk

ShortcutTarget: Dell ControlPoint System Manager.lnk -> C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk

ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\TdmNotify.lnk

ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

ShortcutTarget: WDSmartWare.lnk -> C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)

Startup: C:\Users\Michael\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

3 AdobeFlashPlayerUpdateSvc; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [257696 2012-05-04] (Adobe Systems Incorporated)

2 alssvc; "C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe" [382232 2008-06-03] (Dell Inc.)

2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1803512 2009-05-15] (AuthenTec, Inc.)

2 buttonsvc32; "C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe" [278304 2009-11-20] (Dell Inc.)

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)

3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-12-27] (Acresso Software Inc.)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [124240 2010-03-18] (Microsoft Corporation)

4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)

2 Secunia PSI Agent; "C:\Program Files\Secunia\PSI\PSIA.exe" --start-service [993848 2011-04-18] (Secunia)

2 Secunia Update Agent; "C:\Program Files\Secunia\PSI\sua.exe" --start-service [399416 2011-04-18] (Secunia)

3 SecureStorageService; "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [1032192 2009-11-18] (Wave Systems Corp.)

2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3063968 2012-04-09] (Skype Technologies S.A.)

2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-04-05] (Skype Technologies)

2 sprtlisten; C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe /identity QUICKASSIST [1213728 2008-01-08] (SupportSoft, Inc.)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe [221266 2009-07-31] (IDT, Inc.)

3 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [394608 2008-01-08] (SupportSoft, Inc.)

2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1273856 2008-11-12] ()

2 TdmService; "C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe" [1148264 2009-11-24] (Wave Systems Corp.)

2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [110592 2009-11-13] (WDC)

2 WDSmartWareBackgroundService; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe" [20480 2009-06-16] (Memeo)

2 dcpsysmgrsvc; "c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe" [x]

2 EvtEng; c:\Program Files\Intel\WiFi\bin\EvtEng.exe [x]

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]

2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]

4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]

3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

2 RegSrvc; c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [x]

4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]

4 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]

2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [217136 2009-11-24] (Alps Electric Co., Ltd.)

3 IntcHdmiAddService; C:\Windows\System32\drivers\IntcHdmi.sys [112128 2009-02-26] (Intel® Corporation)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-06-07] (Malwarebytes Corporation)

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)

1 MpKsl77c026b2; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4DDCD221-1D60-492B-91EB-92D7C46B40B6}\MpKsl77c026b2.sys [29904 2012-06-05] (Microsoft Corporation)

3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)

0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)

3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)

4 rimspci; C:\Windows\system32\drivers\rimspe86.sys [45056 2009-04-03] (REDC)

4 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [48640 2009-04-03] (REDC)

4 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38400 2009-04-03] (REDC)

4 RsFx0103; C:\Windows\System32\DRIVERS\RsFx0103.sys [239336 2009-03-30] (Microsoft Corporation)

2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [211328 2010-01-05] (Wave Systems Corp.)

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 NvtSp50; C:\Windows\System32\Drivers\NvtSp50.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-06-07 11:37 - 2012-06-07 11:38 - 00000000 ____D C:\FRST

2012-06-07 11:35 - 2012-06-07 11:35 - 00000000 __SHD C:\Config.Msi

2012-06-05 09:35 - 2012-06-07 13:38 - 3174215680 __ASH C:\hiberfil.sys

2012-06-05 09:10 - 2012-06-07 07:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-06-03 09:28 - 2012-06-03 09:28 - 00002154 ____A C:\Windows\epplauncher.mif

2012-06-03 09:27 - 2012-06-03 09:28 - 00000000 ____D C:\Program Files\Microsoft Security Client

2012-06-03 09:27 - 2010-04-05 12:00 - 00221568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-06-02 16:31 - 2012-06-05 09:19 - 00000000 ____D C:\Users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-06-02 10:44 - 2012-06-02 10:44 - 00000000 __SHD C:\Windows\System32\%APPDATA%

2012-05-26 09:20 - 2012-05-28 16:05 - 00010578 ____A C:\Users\Crys\Documents\Nutrition.xlsx

2012-05-26 09:16 - 2012-05-26 09:16 - 00000000 ____D C:\Users\Crys\Desktop\MMA

2012-05-11 17:21 - 2012-03-30 04:39 - 00914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-05-11 17:21 - 2012-03-29 05:39 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-05-11 17:21 - 2012-03-20 15:28 - 00053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-05-11 17:21 - 2012-03-01 06:46 - 00219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2012-05-11 17:21 - 2012-03-01 06:46 - 00160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2012-05-11 17:21 - 2012-02-29 06:08 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2012-05-11 17:21 - 2012-02-29 05:44 - 00683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-05-11 17:21 - 2012-02-29 05:41 - 01069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-05-11 17:20 - 2012-04-03 00:16 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-05-11 17:20 - 2012-04-03 00:16 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-05-11 17:20 - 2012-04-02 05:36 - 02044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

============ 3 Months Modified Files and Folders ===============

2012-06-07 13:39 - 2006-11-02 04:58 - 0032596 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-06-07 13:39 - 2006-11-02 04:58 - 0000006 ___AH C:\Windows\Tasks\SA.DAT

2012-06-07 13:38 - 2012-06-05 09:35 - 3174215680 __ASH C:\hiberfil.sys

2012-06-07 13:38 - 2006-11-02 04:45 - 0003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-06-07 13:38 - 2006-11-02 04:45 - 0003664 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-06-07 11:52 - 2009-04-11 05:18 - 0279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe

2012-06-07 11:51 - 2010-09-20 14:50 - 0902938 ____A C:\Windows\ntbtlog.txt

2012-06-07 11:51 - 2010-08-14 12:20 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-06-07 11:51 - 2010-04-12 19:43 - 0000000 ____A C:\Users\Crys\AppData\Local\WavXMapDrive.bat

2012-06-07 11:43 - 2012-05-05 13:11 - 0000000 ____D C:\Users\All Users\boost_interprocess

2012-06-07 11:38 - 2012-06-07 11:37 - 0000000 ____D C:\FRST

2012-06-07 11:35 - 2012-06-07 11:35 - 0000000 __SHD C:\Config.Msi

2012-06-07 11:34 - 2010-08-14 12:20 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-06-07 07:46 - 2012-06-05 09:10 - 0040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys

2012-06-07 07:46 - 2012-03-29 07:24 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-06-05 09:33 - 2010-04-06 19:25 - 1944952 ____A C:\Windows\WindowsUpdate.log

2012-06-05 09:19 - 2012-06-02 16:31 - 0000000 ____D C:\Users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-06-05 09:17 - 2008-01-20 19:02 - 0055636 ____A C:\Windows\PFRO.log

2012-06-03 09:28 - 2012-06-03 09:28 - 0002154 ____A C:\Windows\epplauncher.mif

2012-06-03 09:28 - 2012-06-03 09:27 - 0000000 ____D C:\Program Files\Microsoft Security Client

2012-06-03 09:28 - 2006-11-02 02:33 - 0866950 ____A C:\Windows\System32\PerfStringBackup.INI

2012-06-03 09:21 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration

2012-06-03 09:19 - 2010-04-12 20:10 - 0000000 ____D C:\Users\All Users\Symantec

2012-06-02 16:54 - 2010-12-31 14:22 - 0000000 ____D C:\Windows\symbols

2012-06-02 16:27 - 2010-08-14 12:17 - 0000000 ____D C:\Users\Crys\AppData\Roaming\Skype

2012-06-02 10:44 - 2012-06-02 10:44 - 0000000 __SHD C:\Windows\System32\%APPDATA%

2012-05-28 16:05 - 2012-05-26 09:20 - 0010578 ____A C:\Users\Crys\Documents\Nutrition.xlsx

2012-05-26 09:16 - 2012-05-26 09:16 - 0000000 ____D C:\Users\Crys\Desktop\MMA

2012-05-23 04:54 - 2010-04-07 01:01 - 0000000 ____D C:\Program Files\Microsoft Silverlight

2012-05-16 06:05 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET

2012-05-13 12:42 - 2006-11-02 04:44 - 2303584 ____A C:\Windows\System32\FNTCACHE.DAT

2012-05-12 12:33 - 2010-05-25 08:02 - 0000000 ____D C:\Users\All Users\Microsoft Help

2012-05-12 12:29 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-05-12 12:03 - 2006-11-02 04:35 - 0000000 ____D C:\Windows\System32\XPSViewer

2012-05-07 05:16 - 2012-05-07 05:16 - 0000000 ____D C:\Users\Crys\AppData\Roaming\Foxit Software

2012-05-07 05:13 - 2010-04-12 20:15 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-05-07 05:12 - 2012-05-07 05:12 - 0000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-05-05 13:11 - 2012-05-05 13:10 - 0000000 ___RD C:\Program Files\Skype

2012-05-05 13:11 - 2010-08-14 12:14 - 0000000 ____D C:\Users\All Users\Skype

2012-05-05 13:10 - 2012-05-05 13:10 - 0001878 ____A C:\Users\Public\Desktop\Skype.lnk

2012-05-05 13:10 - 2012-05-05 13:10 - 0000000 ____D C:\Program Files\Common Files\Skype

2012-05-04 16:46 - 2012-03-29 07:24 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2012-05-04 16:46 - 2011-05-15 11:55 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-04-29 06:37 - 2006-11-02 04:49 - 0147796 ____A C:\Windows\setupact.log

2012-04-20 07:51 - 2012-04-20 07:39 - 0034901 ____A C:\Users\Crys\Desktop\lyrics.docx

2012-04-04 13:56 - 2010-04-12 20:15 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-04-03 00:16 - 2012-05-11 17:20 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe

2012-04-03 00:16 - 2012-05-11 17:20 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe

2012-04-02 05:36 - 2012-05-11 17:20 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-03-30 11:57 - 2012-03-30 11:57 - 0001666 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-03-30 11:57 - 2012-03-09 12:53 - 0000000 ____D C:\Program Files\iTunes

2012-03-30 11:56 - 2012-03-30 11:56 - 0000000 ____D C:\Program Files\iPod

2012-03-30 11:56 - 2010-06-01 13:54 - 0000000 ____D C:\Program Files\Common Files\Apple

2012-03-30 04:39 - 2012-05-11 17:21 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-03-29 09:21 - 2012-03-29 09:21 - 313700803 ____A C:\Windows\MEMORY.DMP

2012-03-29 09:21 - 2012-03-29 09:21 - 0144744 ____A C:\Windows\Minidump\Mini032912-01.dmp

2012-03-29 09:21 - 2012-03-29 09:21 - 0000000 ____D C:\Windows\Minidump

2012-03-29 05:39 - 2012-05-11 17:21 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-03-28 06:07 - 2011-04-13 15:53 - 0000861 ____A C:\Users\Public\Desktop\VLC media player.lnk

2012-03-20 18:44 - 2012-03-20 18:44 - 0171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys

2012-03-20 18:44 - 2012-03-20 18:44 - 0074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

2012-03-20 15:28 - 2012-05-11 17:21 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

2012-03-15 09:25 - 2012-01-22 06:32 - 0008518 ____A C:\Users\Crys\Documents\Car Loan.xlsx

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe

[2009-04-11 05:18] - [2012-06-07 11:52] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%

Total physical RAM: 3026.43 MB

Available physical RAM: 2715.68 MB

Total Pagefile: 2925.83 MB

Available Pagefile: 2793.29 MB

Total Virtual: 2047.88 MB

Available Virtual: 1980.93 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:102.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: () (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32

4 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.69 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 0 B

Disk 1 Online 3827 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 39 MB 32 KB

Partition 2 Primary 15 GB 40 MB

Partition 3 Primary 218 GB 15 GB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C OS NTFS Partition 218 GB Healthy

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3827 MB 16 KB

======================================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E FAT32 Removable 3827 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-03 09:49

======================= End Of Log ==========================

gringo_pr · June 12, 2012

greetings

I wan tyou to do a system restore to before the restarting happened and let me know how it goes

gringo

zia16sun · June 12, 2012

Interesting. I'd already tried running that multiple ways (prior to searching forums) and was advised each time that System Restore could not run. However, after installing the Farbar Recovery Scan Tool (FRST) http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/, I was able to get System Restore to run and I have restored it to before the rebooting started. The system now stays booted (thank goodness), and I have run another full Malwarebytes scan to see what Trojans may still be lurking. The scan only revealed Rootkit.0Access and Trojan.Small remaining. I quarantined those, ran another quick scan and received notice that no malicious files were found! No chance it's safe to say we're clear and I can complete her system cleanup and give it back?

gringo_pr · June 12, 2012

Hello

Not yet if we work together most likely tommorow

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

zia16sun · June 12, 2012

I continued to experience system sieze ups and general "chugging" when trying to disable the anti-virus and malware programs, which wouldn't allow the updated ComboFix to even start, so I ended up going into her msconfig to disable unneccessary startup helper files and whatnot. Rebooting following that adjustment proved much more fruitful, and I was able to successfully ensure the anti-virus/malware programs were disabled prior and start the Combo Fix from the desktop. It ran without error, and the log is as follows:

ComboFix 12-06-12.01 - Crys 06/12/2012 13:57:28.1.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3026.1676 [GMT -6:00]

Running from: c:\users\Crys\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\DFR522D.tmp

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\users\Crys\AppData\Local\assembly\tmp

c:\windows\system32\test

c:\windows\XSxS

.

((((((((((((((((((((((((( Files Created from 2012-05-12 to 2012-06-12 )))))))))))))))))))))))))))))))

.

2012-06-12 20:05 . 2012-06-12 20:05 -------- d-----w- c:\users\Crys\AppData\Local\temp

2012-06-07 19:37 . 2012-06-07 23:51 -------- d-----w- C:\FRST

2012-06-03 17:27 . 2012-06-03 17:28 -------- d-----w- c:\program files\Microsoft Security Client

2012-06-03 00:31 . 2012-06-05 17:19 -------- d-----w- c:\users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-05-30 19:59 . 2012-05-30 19:59 4966600 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-12 19:49 . 2010-04-13 03:43 0 ----a-w- c:\users\Crys\AppData\Local\WavXMapDrive.bat

2012-05-05 00:46 . 2012-03-29 15:24 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-05 00:46 . 2011-05-15 19:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 21:56 . 2010-04-13 04:15 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-03 08:16 . 2012-05-12 01:20 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16 . 2012-05-12 01:20 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-02 13:36 . 2012-05-12 01:20 2044928 ----a-w- c:\windows\system32\win32k.sys

2012-03-30 12:39 . 2012-05-12 01:21 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-03-29 13:39 . 2012-05-12 01:21 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2012-03-20 23:28 . 2012-05-12 01:21 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-14 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-01 458844]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-27 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-27 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-27 150552]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-01-05 147328]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-12-10 1327392]

TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2009-11-24 132456]

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk

backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Crys^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\Crys\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2010-09-23 00:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2011-09-07 22:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 03:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

2009-10-22 20:01 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2009-02-27 01:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2012-03-27 11:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2012-04-04 21:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2012-04-04 21:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]

2010-08-27 04:59 45992 ----a-w- c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2012-04-05 17:41 17356424 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-08-14 20:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USCService]

2010-01-06 01:23 34232 ----a-w- c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 00:46]

.

2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 20:20]

.

2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 20:20]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

LSP: c:\windows\system32\wpclsp.dll

TCP: DhcpNameServer = 8.8.8.8 208.67.222.222

FF - ProfilePath - c:\users\Crys\AppData\Roaming\Mozilla\Firefox\Profiles\n23jy6lj.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-Symantec Antvirus

AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-12 14:05

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(672)

c:\windows\system32\wvauth.dll

.

Completion time: 2012-06-12 14:08:44

ComboFix-quarantined-files.txt 2012-06-12 20:08

.

Pre-Run: 109,341,155,328 bytes free

Post-Run: 111,279,955,968 bytes free

.

- - End Of File - - 5892E6D574554FC10F5A7486A31A8A3F

The system seems to be running well now. Menus open quickly, no apparent excessive delays, though I am noticing that right clicking on items or opening MS Word will start Symantic Endpoint Protection and that "configuring screen" stalls approximately 3/4 through gathering information. Symantec is one of the items they uninstalled when attempting to repair the system prior to bringing it to me. It is possible the file was corrupt prior to their uninstalling it, but regardless, the system restore was unable to fully restore it. We're not huge fans of it due to system resource hogging, so would be happy going AVG, but I wanted to be sure you knew of this aspect of things. Thanks.

gringo_pr · June 13, 2012

Greetings

instead of AVG I would go with MSE

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

zia16sun · June 15, 2012

Status update:

I had issues getting ComboFix to run again with the CFScript, and suspected the the continually controlling/hanging up Symantec Endpoint Protection as the culprit, so I stripped it off the computer entirely as instructed on their site, ran CCleaner to ensure I got all registry entries removed, and was then able to run ComboFix with the script successfully. Other than having to reinstall the driver for the wireless card (that the system still remembered, but the adapter forgot), that removal caused no apparent issues and eliminated all hangup, bogging issues. I then installed MSE, updated it, and ran a full system scan. That scan revealed Sirefef still on the system (Sirefef.AK, Sirefef.AM, Sirefef.AG, Sirefef.AB and Sirefef), but it appears to me it was finding them primarily in a quarantine file, though one location was not in quarantine:

C:\Qoobox\Quarantine\C\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\80000032.@.vir

C:\Qoobox\Quarantine\C\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000008.@.vir

C:\Qoobox\Quarantine\C\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\80000000.@.vir

C:\Qoobox\Quarantine\C\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\n.vir

C:\Users\Crys\AppData\Local\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\n

C:\Qoobox\Quarantine\C\Windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\000000cb.@.vir

I had MSE remove the threats (I'm assuming they're probably still in a quarantine somewhere), and ran a Malwarebytes full system scan, which turned up nothing.

Overall, the system itself seems to be running superbly without SEP, and I haven't found any other apparent issues needing attention (other than the ongoing presence of Sirefef, of course). The log from last night's ComboFix with script run (from after SEP was fully stripped and cleaned off, but before MSE installation) is below:

ComboFix 12-06-12.01 - Crys 06/13/2012 22:26:52.2.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3026.1914 [GMT -6:00]

Running from: c:\users\Crys\Desktop\ComboFix.exe

Command switches used :: c:\users\Crys\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L\00000004.@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\L\1afb2d56

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\n

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000004.@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\00000008.@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\000000cb.@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\80000000.@

c:\windows\Installer\{6c775b8e-da9e-3b7e-11d1-48d7a5960d50}\U\80000032.@

.

((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 )))))))))))))))))))))))))))))))

.

2012-06-14 04:35 . 2012-06-14 04:35 -------- d-----w- c:\users\Crys\AppData\Local\temp

2012-06-14 04:35 . 2012-06-14 04:35 -------- d-----w- c:\users\Michael\AppData\Local\temp

2012-06-14 04:35 . 2012-06-14 04:35 -------- d-----w- c:\users\Guest\AppData\Local\temp

2012-06-14 04:35 . 2012-06-14 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-14 00:28 . 2012-05-15 07:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66F32AC3-6E9B-4243-8BDD-F8417C9C0D5A}\mpengine.dll

2012-06-13 01:07 . 2012-06-13 01:07 -------- d-----w- c:\windows\Sun

2012-06-07 19:37 . 2012-06-07 23:51 -------- d-----w- C:\FRST

2012-06-03 17:27 . 2012-06-03 17:28 -------- d-----w- c:\program files\Microsoft Security Client

2012-06-03 00:31 . 2012-06-05 17:19 -------- d-----w- c:\users\Crys\AppData\Local\LogMeIn Rescue Applet

2012-05-30 19:59 . 2012-05-30 19:59 4966600 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-14 04:22 . 2010-04-13 03:43 0 ----a-w- c:\users\Crys\AppData\Local\WavXMapDrive.bat