Jump to content


Photo
- - - - -

Trojan.Agent, Trojan:DOS/Alureon.A, Virus Win64/Sirefef.A, Rootkit.0Access, Trojan.0Access

Trojan.Agent Trojan.0Access Rootkit.0Access Trojan:DOS/Alureon.A Virus:Win64/Sirefef.A

  • This topic is locked This topic is locked
47 replies to this topic

#21 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 11:48 AM

It worked this time. It appears the copying from the quote box on my first attempt didn't maintain the line breaks, though I did have to remove an extra space from the beginning of each line to ensure it was entered "exactly" as shown - which may have been a result of your reiterating the line breaks on the script.

Regardess, the latest OTL log:

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg32.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{4b9bcce8-a70b-402a-a7e1-db96831ee26f} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Trend Micro Client Framework not found.
File C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe not found.
Registry value HKEY_USERS\S-1-5-21-3166742874-2454003993-314893025-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AROReminder deleted successfully.
C:\Program Files (x86)\ARO 2012\ARO.exe moved successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
File Protocol\Handler\livecall - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
File Protocol\Handler\msnim - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
File Protocol\Handler\wlmailhtml - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.
File Protocol\Handler\wlpg - No CLSID value found not found.
File C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe64.dll not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tmbp\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe64.dll not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tmpx\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll not found.
File C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tmbp\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg32.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tmpx\ not found.
File C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg32.dll not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22C7F6C6-8D67-4534-92B5-529A0EC09405}\ not found.
File C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\firefoxextension\ not found.
Service NAVENG stopped successfully!
Service NAVENG deleted successfully!
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20121003.032\eng64.sys moved successfully.
Error: Unable to stop service IDSVia64!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDSVia64 deleted successfully.
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20121003.001\IDSviA64.sys moved successfully.
Service BHDrvx64 stopped successfully!
Service BHDrvx64 deleted successfully!
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120919.001\BHDrvx64.sys moved successfully.
Service eeCtrl stopped successfully!
Service eeCtrl deleted successfully!
C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys moved successfully.
Error: No service named N360 was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\N360 deleted successfully.
C:\Program Files (x86)\Norton Security Suite\Engine\6.3.0.14\ccsvchst.exe moved successfully.
Error: Unable to stop service SymEvent!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent deleted successfully.
C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS moved successfully.
Service SRTSP stopped successfully!
Service SRTSP deleted successfully!
C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtsp64.sys moved successfully.
Error: Unable to stop service SRTSPX!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPX deleted successfully.
C:\Windows\SysNative\drivers\N360x64\0603000.00E\srtspx64.sys moved successfully.
Service ccSet_N360 stopped successfully!
Service ccSet_N360 deleted successfully!
C:\Windows\SysNative\drivers\N360x64\0603000.00E\ccsetx64.sys moved successfully.
Service NAVEX15 stopped successfully!
Service NAVEX15 deleted successfully!
C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20121003.032\ex64.sys moved successfully.
Error: Unable to stop service SymEFA!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFA deleted successfully.
C:\Windows\SysNative\drivers\N360x64\0603000.00E\symefa64.sys moved successfully.
Error: Unable to stop service SymDS!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymDS deleted successfully.
C:\Windows\SysNative\drivers\N360x64\0603000.00E\symds64.sys moved successfully.
No active process named ARO.exe was found!
No active process named uiWinMgr.exe was found!
Error: No service named Amsp was found to stop!
Service\Driver key Amsp not found.
File C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ARO 2012 folder moved successfully.
C:\Program Files (x86)\ARO 2012 folder moved successfully.
C:\Users\Gator\AppData\Roaming\xsecva folder moved successfully.
Error: No service named tmcomm was found to stop!
Service\Driver key tmcomm not found.
File C:\Windows\SysNative\drivers\tmcomm.sys not found.
Error: No service named tmtdi was found to stop!
Service\Driver key tmtdi not found.
File C:\Windows\SysNative\drivers\tmtdi.sys not found.
Error: No service named tmactmon was found to stop!
Service\Driver key tmactmon not found.
File C:\Windows\SysNative\drivers\tmactmon.sys not found.
Error: No service named tmevtmgr was found to stop!
Service\Driver key tmevtmgr not found.
File C:\Windows\SysNative\drivers\tmevtmgr.sys not found.
========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Gator
->Java cache emptied: 1128 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 41044 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gator
->Temp folder emptied: 4939983 bytes
->Temporary Internet Files folder emptied: 37212497 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1066 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 278675703 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36045667 bytes
RecycleBin emptied: 635876974 bytes

Total Files Cleaned = 947.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Gator
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10092012_102806
Files\Folders moved on Reboot...
C:\Users\Gator\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BRUKK2TL\fastbutton[1].htm moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BHNKRS7S\index[1].htm moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6CAGPFH7\EFpQQyG9GqCrobXxL-KRMWzklk6MJbhg7BmBP42CjCQ[1].eot moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6CAGPFH7\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Gator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

#22 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 12:14 PM

OK, looks good > anything else?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#23 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 12:23 PM

Not that I can identify right off. On to system security check/updates?

#24 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 12:26 PM

Yes...........


Download Security Check by screen317 from HERE or HERE.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#25 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 12:53 PM

Results of screen317's Security Check version 0.99.51
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Norton Security Suite
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Adobe Flash Player 11.4.402.287
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

#26 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 01:25 PM

OK, you see what has to be done..right, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#27 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 01:39 PM

Yep...and it appears I'm again running into the ZA issues that I found here with the firewall being "broken", etc., so with your blessing, I'll proceed with those steps to resolve the issue and report when completed? Obviously, I welcome any other suggestions, etc...

#28 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 01:58 PM

We can do it like this..............

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#29 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 02:18 PM

I like that much better than manually fixing registry issues that ZA caused. Tools=muy bueno.

Farbar Service Scanner Version: 07-10-2012
Ran by Gator (administrator) on 09-10-2012 at 13:15:02
Running from "C:\Users\Gator\Downloads"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-16 20:08] - [2011-12-27 21:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-24 17:33] - [2012-03-30 05:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 18:09] - [2009-07-13 19:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 17:36] - [2009-07-13 19:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-09-24 17:33] - [2012-04-23 23:59] - 0182272 ____A (Microsoft Corporation) F02786B66375292E58C8777082D4396D
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

#30 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 02:34 PM

Download all of these reg files to your desktop
Then double click on each one and allow it to merge into the registry
Reboot and rescan with FSS and post the new log, MrC

http://download.blee...es/7/MpsSvc.reg

http://download.blee...vices/7/BFE.reg

http://download.blee...es/7/wscsvc.reg

http://download.blee.../7/wuauserv.reg

http://download.blee...ices/7/BITS.reg

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#31 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 09 October 2012 - 03:53 PM

Getting warmer. Right after the reboot from merging those into the registry, Windows Update started instantly and brougt in 35 updates (including SP1).

Looks like Windows Defender is still having difficulty:

New Farbar scan:

Farbar Service Scanner Version: 07-10-2012
Ran by Gator (administrator) on 09-10-2012 at 14:50:34
Running from "C:\Users\Gator\Downloads"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-16 20:08] - [2011-12-27 21:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-24 17:33] - [2012-03-30 05:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 18:09] - [2009-07-13 19:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 17:36] - [2009-07-13 19:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-10-09 14:02] - [2012-06-01 23:25] - 0182272 ____A (Microsoft Corporation) BAF19B633933A9FB4883D27D66C39E9A
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

#32 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 October 2012 - 05:54 PM

WinDefend Service > leave this disabled

Check to see that these services are enabled:
Windows Security Center(WSCSVC)

1. Click Start, type Services.msc in Start Search bar, and then press Enter.
2. In the right pane, double-click Security Center.
3. In the Startup type list, click Automatic, click Apply, click Start, and then click OK.
4. Restart the computer.

Same for:
Windows Update (wuauserv Service)


Make sure system restore is enabled also:
System Restore Disabled Policy:

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#33 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 10 October 2012 - 01:22 PM

Done.

Showing new security log and FSS log to confirm nothing else needs attention from your POV.

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````


Farbar Service Scanner Version: 07-10-2012
Ran by Gator (administrator) on 10-10-2012 at 11:44:28
Running from "C:\Users\Gator\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of WinDefend. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of WinDefend. The value does not exist.
Unable to retrieve ServiceDll of WinDefend. The value does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-10-09 14:02] - [2012-06-01 23:41] - 0184320 ____A (Microsoft Corporation) 9C01375BE382E834CC26D1B7EAF2C4FE

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#34 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 10 October 2012 - 01:26 PM

Looks Good > how is it??? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#35 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 10 October 2012 - 03:52 PM

Almost perfect. The only thing I'm seeing now is something still possibly hiding in IE and causing it to run at a dinosaur's pace. I've confirmed it's not a connection lag issue, nor does the issue occur in Firefox, so I suspected the earlier removal of the IE controlling Babylon left some bits and pieces that were still trying (unsuccessfully) to control IE's behavior. I tried uninstalling IE9 and reinstalling it thinking it would connect all the dots again, but now IE 9 will not reinstall at all. Using the Microsoft Fixit tool showed a few problems with Windows Update that it thought may be causing the install to fail, but after resolving those issues, the install still fails. I've noticed IE8 also lags considerably when going from page to page (using links, etc.), so it's an overall IE issue - not just for IE9.

#36 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 10 October 2012 - 06:19 PM

Run another scan with RogueKiller and Listpart64 > post the new logs, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#37 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 10 October 2012 - 07:15 PM

RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Gator [Admin rights]
Mode : Scan -- Date : 10/10/2012 18:12:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 83873ddecb8ada92393ead1bd6461c40
[BSP] 29c6e6ea19b9e653a532ba7f0f537374 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[8].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt



ListParts by Farbar Version: 02-10-2012
Ran by Gator (administrator) on 10-10-2012 at 18:12:01
Windows 7 (X64)
Running From: C:\Users\Gator\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 3894.68 MB
Available physical RAM: 2602.1 MB
Total Pagefile: 7787.56 MB
Available Pagefile: 6306.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:384.45 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy Boot

======================================================================================================

****** End Of Log ******

#38 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 10 October 2012 - 07:31 PM

It looks OK, no sign of an infection > run the scan.....

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#39 zia16sun

zia16sun

    Regular Member

  • Honorary Members
  • PipPip
  • 74 posts
  • Gender:Female
  • Location:New Mexico

Posted 10 October 2012 - 10:13 PM

The log didn't seem to have anything useful (to me).

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

I also exported the scan results (which were surprising to me considering the tools we've run thus far found no issues):

C:\Program Files (x86)\Common Files\ZugoInstaller.exe Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\FrostWire 5\frostwire-installer.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_07.34.32\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_07.34.32\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_07.34.32\mbr0000\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_08.56.22\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_08.56.22\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_08.56.22\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\Users\Gator\.frostwire5\updates\frostwire-5.3.8.windows.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Gator\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.0.8.windows.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Gator\Desktop\avc-free.exe Win32/OpenCandy application cleaned by deleting - quarantined

#40 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,136 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 October 2012 - 07:46 AM

How is it?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew





Also tagged with one or more of these keywords: Trojan.Agent, Trojan.0Access, Rootkit.0Access, Trojan:DOS/Alureon.A, Virus:Win64/Sirefef.A

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users