Hi all!

Brand new, and registered because I’ve caught Win32:Sirefef-ZT [trj] according to the last Avast Scan. Avast’s File System Shield also claims that I have a Win32:trojan-gen and Win32:ZAccess-IJ. I also had AVG on the system for a while and it kept claiming that Patched.A was on the system.

I have no idea whether these are all separate, linked together or what–but I know it all hit within the last day. Exactly -how- I have absolutely no idea, as I’m paranoid about sites.

But I’ve tried the obvious (boot scans, deep scans), so I’m sure I will need to post logs and run programs at y’alls requests. But please, please help.

Thanks!

Hi Storyteller

Welcome to the forums

Follow this guide and attach (not copy
and paste) the requested logs

forum.avast.com/index.php?
topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR
farbar service scanner

Then help will arrive later today

Anthony

Live link to the logs required http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Okay. I believe I have run and attached everything correctly.

However, as this forum only lets me attach 4 things, I’m going to do it in two posts. I’m also a little unclear (based on the thread people linked me to) whether it was all supposed to be attached or if some was supposed to be pasted. So I’ll attach everything and then post what that thread said to copy/paste.

If I’ve done something wrong, I will update as needed.

So this post includes the AdwCleaner and Malwarebytes attached, with the Malwarebytes also pasted below:

ST

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.11.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Admin :: DAVROS [administrator]

9/11/2012 3:07:48 AM
mbam-log-2012-09-11 (03-07-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224415
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\80000000.@ (Rootkit.0Access.64) → Quarantined and deleted successfully.

(end)

Hi the OTL log will be the main analysis tool, once posted I will craft a fix

Okay, file too large. Posting everything else one at a time.

OTL file.

Extras.

aswMBR attached and farbar service scanner posted below.

Farbar Service Scanner Version: 06-08-2012
Ran by Admin (administrator) on 11-09-2012 at 05:01:37
Running from “C:\Users\Admin\Desktop”
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal

Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:

wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

This should get the majority in one go

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[2011/12/25 13:32:51 | 000,001,516 | -HS- | C] () -- C:\Users\Admin\AppData\Local\47yei07465b2kg156550643h
[2011/12/25 13:32:51 | 000,001,516 | -HS- | C] () -- C:\ProgramData\47yei07465b2kg156550643h
@Alternate Data Stream - 172 bytes -> C:\Users\Admin\Documents\letter.tiff:3or4kl4x13tuuug3Byamue2s4b

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

:Files
C:\Windows\Installer\{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini 
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

FINALLY

Download the zip file from the link below to your desktop
https://dl.dropbox.com/u/73555776/Storyteller.zip
Extract all seven reg files to the desktop
Double click each in turn and allow to merge

Okay. Here’s the outcomes step by step.

1. Did the OTL Custom Scan and Quick Scan. Log is attached.

2. Did Rogue Killer Scan. Here is the report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan – Date : 09/11/2012 09:51:55

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[Services][ROGUE ST] HKLM[…]\ControlSet001\Services{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) → FOUND
[Services][ROGUE ST] HKLM[…]\ControlSet002\Services{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) → FOUND
[TASK][SUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : “C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe” → FOUND
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (91.103.185.182:80) → FOUND
[HJ DESK] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ DESK] HKCU[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ INPROC][ZeroAccess] HKCR[…]\InprocServer32 : (C:$Recycle.Bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\n.) → FOUND
[HJ INPROC][ZeroAccess] HKCR[…]\InprocServer32 : (C:$Recycle.Bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\n.) → FOUND
[HJ INPROC][ZeroAccess] HKLM[…]\InprocServer32 : (C:$Recycle.Bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\n.) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini → FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini → FOUND
[ZeroAccess][FILE] @ : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5@ → FOUND
[ZeroAccess][FILE] @ : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5@ → FOUND
[ZeroAccess][FOLDER] U : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\U → FOUND
[ZeroAccess][FOLDER] U : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\U → FOUND
[ZeroAccess][FOLDER] L : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\L → FOUND
[ZeroAccess][FOLDER] L : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\L → FOUND
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe → FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
— User —
[MBR] d760bca64d2df6e3d9c8275abccfc747
[BSP] 7752497b2ef9e0758957a6d617e08907 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

3. Did the Delete. It did ask for a reboot in the process. Have no idea if it should have or not. Here is the report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove – Date : 09/11/2012 09:55:19

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[Services][ROGUE ST] HKLM[…]\ControlSet001\Services{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) → DELETED
[Services][ROGUE ST] HKLM[…]\ControlSet002\Services{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) → DELETED
[TASK][SUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : “C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe” → DELETED
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (91.103.185.182:80) → NOT REMOVED, USE PROXYFIX
[HJ DESK] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ DESK] HKCU[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR[…]\InprocServer32 : (C:$Recycle.Bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\n.) → REPLACED (C:\Windows\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR[…]\InprocServer32 : (C:$Recycle.Bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\n.) → REPLACED (C:\Windows\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini → REMOVED AT REBOOT
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini → REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5@ → REMOVED
[ZeroAccess][FILE] @ : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5@ → REMOVED
[ZeroAccess][FOLDER] ROOT : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\U → REMOVED
[ZeroAccess][FOLDER] ROOT : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\U → REMOVED
[ZeroAccess][FOLDER] ROOT : C:$recycle.bin\S-1-5-18$c15e4c1c515e9835656fc2fe27cd7ae5\L → REMOVED
[ZeroAccess][FOLDER] ROOT : C:$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000$c15e4c1c515e9835656fc2fe27cd7ae5\L → REMOVED
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe → REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s…s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe)

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
— User —
[MBR] d760bca64d2df6e3d9c8275abccfc747
[BSP] 7752497b2ef9e0758957a6d617e08907 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR!
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

4. Then I ran the Fix Shortcuts. Report below:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Shortcuts HJfix – Date : 09/11/2012 10:02:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 653 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 8 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 2408 / Fail 0
My documents: Success 1879 / Fail 1879
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 889 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 150 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 – 0x3 → Restored
[D:] \Device\HarddiskVolume2 – 0x3 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped
[F:] \Device\HarddiskVolume4 – 0x2 → Restored
[G:] \Device\HarddiskVolume5 – 0x2 → Restored
[H:] \Device\HarddiskVolume6 – 0x2 → Restored
[I:] \Device\HarddiskVolume7 – 0x2 → Restored
[J:] \Device\CdRom1 – 0x5 → Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Last, I downloaded the zip file and extracted to the desktop.

Each time I double clicked the file, it warned me that “Adding information can unintentionally change or delete values and cause components to stop working correctly. If you do not trust the source of this information in (location/file I’d double-clicked), do not add it to the registry.”

It then asked me if I wanted to continue. I said yes and it said that each was successfully added to the registry EXCEPT for one file:
SharedAccess.reg

When I said yes to that one, it gave an error:
Cannot import C:\Users\Admin\Desktop\SharedAccess.reg: Error accessing the registry.

So that’s what I’ve done.

OK looks like RK did a nice job

Lets check out shared access

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Okay done. Here’s the log–by the way, should I be worried that when it tried to check the Shared Access service, it ran into trouble–the same thing that I hit an error on with the reg files?

Farbar Service Scanner Version: 06-08-2012
Ran by Admin (administrator) on 11-09-2012 at 12:13:15
Running from “C:\Users\Admin\Desktop”
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal

Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

OK we will have to run a repair

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Okay, done with that.

Anything else I need to run/check to make sure that it’s all sorted?

It just remains for you to tell me of any outstanding problems before I remove my tools ;D

I -think- everything’s fixed. I’m not seeing anymore alerts from Avast and the browser isn’t redirecting any more. So I -think- it’s cleared.

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe