ttansill

That did it! Thank you so much for your help. I still have the COM Server error, but I'm pretty sure I can resolve that one and it's not a security risk like not having the Windows firewall running. -ttansill

Fom what I can tell the Windows firewall still not starting and the 3 system event viewer errors (below) I've noticed during boot-up are the only problems that I am aware are left. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: </div> %%-2147024891

Not sure why the HTML code was interjected in the last post. I did want to update that the last MBAM cleaning did fix the IE redirects.

<p>IE was still experiencing browser redirects. Ran MBAM and 4 objects were detected (3 associated with Trojan.RedirRdll3.Gen and 1 with Trojan.Happili ) . I reboot and ran MBAM again and it is reporting clean now. I than ran CIntRep as instructed and rebooted, but still no working firewall. Getting the same error in System log as before concerning the firewall as well as these three errors that started the same time as the infection was discovered.</p> <p> </p> <p> </p> <div>The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID </div> <div>{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}</div> <div> and APPID </div> <div>{344ED43D-D086-4961-86A6-1106F4ACAD9B}</div> <div> to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.</div> <div> </div> <div> </div> <div> <div>The Function Discovery Resource Publication service terminated with the following error: </div> <div>%%-2147024891</div> <div> </div> <div> </div> </div> <p> </p> <div>The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: </div> <div>%%-2147024891</div>

I hear you about it getting late. Thank you for all your help thus far. Hopefully we can get the rest of this cleared up. I won't be back online to work on this until tomorrow evening. Farbar Service Scanner Version: 06-08-2012 Ran by Shannon (administrator) on 19-08-2012 at 22:49:31 Running from "C:\Users\Shannon\Desktop" Microsoft Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= MpsSvc Service is not running. Checking service configuration: The start type of MpsSvc service is OK. The ImagePath of MpsSvc service is OK. The ServiceDll of MpsSvc service is OK. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\ipnathlp.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****

Windows update is working now, but the Windows Firewall service will not start. Log Name: System Source: Service Control Manager Date: 8/19/2012 10:33:36 PM Event ID: 7024 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Shannon-Laptop Description: The Windows Firewall service terminated with service-specific error Access is denied.. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="49152">7024</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2012-08-20T02:33:36.220126400Z" /> <EventRecordID>154141</EventRecordID> <Correlation /> <Execution ProcessID="500" ThreadID="592" /> <Channel>System</Channel> <Computer>Shannon-Laptop</Computer> <Security /> </System> <EventData> <Data Name="param1">Windows Firewall</Data> <Data Name="param2">%%5</Data> </EventData> </Event>

Farbar Service Scanner Version: 06-08-2012 Ran by Shannon (administrator) on 19-08-2012 at 21:54:39 Running from "C:\Users\Shannon\Downloads" Microsoft Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= mpsdrv Service is not running. Checking service configuration: The start type of mpsdrv service is OK. The ImagePath of mpsdrv service is OK. MpsSvc Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ BITS Service is not running. Checking service configuration: Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1 Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****

No objects detected for deletion by MBAM. I have attached the report for the latest quick scan. I had to re-install one piece of software and Microsoft Security Essentials. Windows updates is not working, nor can I turn the Windows firewall back on. It's like I've lost some administrative permissions. These were not the symptoms my wife was experiencing. She discovered a problem when she was doing a Google search and when she clicked on a link in the search it would bring up an ad/malware looking site/pop-up. -ttansill mbam-log-2012-08-19 (20-46-28).txt

Things are already looking better because when I ran Combofix earlier today, trying to fix this with my limited skills, I would get a BSOD before it ever entered a scan. The ComboFox.txt file is attached. -ttansill ComboFix.txt

The report from TDSSKIiller (only 143KB in size) is attached. -ttansill TDSSKiller.2.8.6.0_19.08.2012_19.44.33_log.txt

MrCharlie: The report from RoqueKiller is attached, -ttansill RKreport1.txt

DDS and Attach are attached. Thanks in advanced for your help -ttansill Attach.txt DDS.txt