Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't open email attachments, can't download files, can't


  • This topic is locked This topic is locked

#16
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I downloaded and put combofix file on desktioop, but haven't run
  • 0

Advertisements


#17
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Good. Please run this script now and post results.

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

  • Click on the Start Posted Image button and in the search box, type Notepad and click on it
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\Backup"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\DbgHelp.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\Drivers"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\en-us"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\EppManifest.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpAsDesc.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpClient.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpCmdRun.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpCommu.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\mpevmsg.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpOAv.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpRTP.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MpSvc.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MSESysprep.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MsMpCom.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MsMpEng.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MsMpLics.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MsMpRes.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\msseces.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\msseoobe.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\msseooberes.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\MsseWat.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\NisLog.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\NisSrv.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\NisWFP.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\Setup.exe"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\SetupRes.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\shellext.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\SqmApi.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\SymSrv.dll"
    fsutil reparsepoint delete "C:\Program Files\Microsoft Security Client\SymSrv.yes"
    CD \
    DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
    START JunctionPoints.txt
    EXIT
    
  • Go to File > Save As... and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (*.*)
  • Locate fix.bat on your Desktop and right click then select Run as administrator

Post JunctionPoints.txt when finished.
  • 0

#18
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
New JunctionPoints.txt file


Volume in drive C is Windows
Volume Serial Number is 78CF-E5A0

Directory of C:\

14/07/2009 02:53 PM <JUNCTION> Documents and Settings [C:\Users]
0 File(s) 0 bytes

Directory of C:\ProgramData

14/07/2009 02:53 PM <JUNCTION> Application Data [C:\ProgramData]
14/07/2009 02:53 PM <JUNCTION> Desktop [C:\Users\Public\Desktop]
14/07/2009 02:53 PM <JUNCTION> Documents [C:\Users\Public\Documents]
14/07/2009 02:53 PM <JUNCTION> Favorites [C:\Users\Public\Favorites]
14/07/2009 02:53 PM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
14/07/2009 02:53 PM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users

14/07/2009 02:53 PM <SYMLINKD> All Users [C:\ProgramData]
14/07/2009 02:53 PM <JUNCTION> Default User [C:\Users\Default]
0 File(s) 0 bytes

Directory of C:\Users\All Users

14/07/2009 02:53 PM <JUNCTION> Application Data [C:\ProgramData]
14/07/2009 02:53 PM <JUNCTION> Desktop [C:\Users\Public\Desktop]
14/07/2009 02:53 PM <JUNCTION> Documents [C:\Users\Public\Documents]
14/07/2009 02:53 PM <JUNCTION> Favorites [C:\Users\Public\Favorites]
14/07/2009 02:53 PM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
14/07/2009 02:53 PM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Default

14/07/2009 02:53 PM <JUNCTION> Application Data [C:\Users\Default\AppData\Roaming]
14/07/2009 02:53 PM <JUNCTION> Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
14/07/2009 02:53 PM <JUNCTION> Local Settings [C:\Users\Default\AppData\Local]
14/07/2009 02:53 PM <JUNCTION> My Documents [C:\Users\Default\Documents]
14/07/2009 02:53 PM <JUNCTION> NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
14/07/2009 02:53 PM <JUNCTION> PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
14/07/2009 02:53 PM <JUNCTION> Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
14/07/2009 02:53 PM <JUNCTION> SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
14/07/2009 02:53 PM <JUNCTION> Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
14/07/2009 02:53 PM <JUNCTION> Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Default\AppData\Local

14/07/2009 02:53 PM <JUNCTION> Application Data [C:\Users\Default\AppData\Local]
14/07/2009 02:53 PM <JUNCTION> History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
14/07/2009 02:53 PM <JUNCTION> Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes

Directory of C:\Users\Default\Documents

14/07/2009 02:53 PM <JUNCTION> My Music [C:\Users\Default\Music]
14/07/2009 02:53 PM <JUNCTION> My Pictures [C:\Users\Default\Pictures]
14/07/2009 02:53 PM <JUNCTION> My Videos [C:\Users\Default\Videos]
0 File(s) 0 bytes

Directory of C:\Users\Public\Documents

14/07/2009 02:53 PM <JUNCTION> My Music [C:\Users\Public\Music]
14/07/2009 02:53 PM <JUNCTION> My Pictures [C:\Users\Public\Pictures]
14/07/2009 02:53 PM <JUNCTION> My Videos [C:\Users\Public\Videos]
0 File(s) 0 bytes

Directory of C:\Users\Reception

16/08/2010 04:44 PM <JUNCTION> Application Data [C:\Users\Reception\AppData\Roaming]
16/08/2010 04:44 PM <JUNCTION> Cookies [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Cookies]
16/08/2010 04:44 PM <JUNCTION> Local Settings [C:\Users\Reception\AppData\Local]
16/08/2010 04:44 PM <JUNCTION> My Documents [C:\Users\Reception\Documents]
16/08/2010 04:44 PM <JUNCTION> NetHood [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
16/08/2010 04:44 PM <JUNCTION> PrintHood [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
16/08/2010 04:44 PM <JUNCTION> Recent [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Recent]
16/08/2010 04:44 PM <JUNCTION> SendTo [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\SendTo]
16/08/2010 04:44 PM <JUNCTION> Start Menu [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Start Menu]
16/08/2010 04:44 PM <JUNCTION> Templates [C:\Users\Reception\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\Reception\AppData\Local

16/08/2010 04:44 PM <JUNCTION> Application Data [C:\Users\Reception\AppData\Local]
16/08/2010 04:44 PM <JUNCTION> History [C:\Users\Reception\AppData\Local\Microsoft\Windows\History]
16/08/2010 04:44 PM <JUNCTION> Temporary Internet Files [C:\Users\Reception\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes

Directory of C:\Users\Reception\Documents

16/08/2010 04:44 PM <JUNCTION> My Music [C:\Users\Reception\Music]
16/08/2010 04:44 PM <JUNCTION> My Pictures [C:\Users\Reception\Pictures]
16/08/2010 04:44 PM <JUNCTION> My Videos [C:\Users\Reception\Videos]
0 File(s) 0 bytes

Directory of C:\Users\UpdatusUser

19/11/2012 02:58 PM <JUNCTION> Application Data [C:\Users\UpdatusUser\AppData\Roaming]
19/11/2012 02:58 PM <JUNCTION> Cookies [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Cookies]
19/11/2012 02:58 PM <JUNCTION> Local Settings [C:\Users\UpdatusUser\AppData\Local]
19/11/2012 02:58 PM <JUNCTION> My Documents [C:\Users\UpdatusUser\Documents]
19/11/2012 02:58 PM <JUNCTION> NetHood [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
19/11/2012 02:58 PM <JUNCTION> PrintHood [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
19/11/2012 02:58 PM <JUNCTION> Recent [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Recent]
19/11/2012 02:58 PM <JUNCTION> SendTo [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\SendTo]
19/11/2012 02:58 PM <JUNCTION> Start Menu [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu]
19/11/2012 02:58 PM <JUNCTION> Templates [C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes

Directory of C:\Users\UpdatusUser\AppData\Local

19/11/2012 02:58 PM <JUNCTION> Application Data [C:\Users\UpdatusUser\AppData\Local]
19/11/2012 02:58 PM <JUNCTION> History [C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\History]
19/11/2012 02:58 PM <JUNCTION> Temporary Internet Files [C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes

Directory of C:\Users\UpdatusUser\Documents

19/11/2012 02:58 PM <JUNCTION> My Music [C:\Users\UpdatusUser\Music]
19/11/2012 02:58 PM <JUNCTION> My Pictures [C:\Users\UpdatusUser\Pictures]
19/11/2012 02:58 PM <JUNCTION> My Videos [C:\Users\UpdatusUser\Videos]
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
66 Dir(s) 917,481,656,320 bytes free
  • 0

#19
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
This looks better. We are back on the track again. Please do Step 2 again and continue with Step 3 (run Combofix).
  • 0

#20
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
step 2

Log Opened: 2013-06-17 @ 15:37:45
15:37:45 - -----------------
15:37:45 - | Begin Logging |
15:37:45 - -----------------
15:37:45 - Fix started on a WIN_7 X86 computer
15:37:45 - Prep in progress. Please Wait.
15:37:45 - Prep complete
15:37:45 - Repairing Services Now. Please wait...
15:37:45 - Services Repair Complete.
15:37:49 - Reboot Initiated
Log Opened: 2013-06-17 @ 15:54:48
15:54:48 - -----------------
15:54:48 - | Begin Logging |
15:54:48 - -----------------
15:54:48 - Fix started on a WIN_7 X86 computer
15:54:48 - Prep in progress. Please Wait.
15:54:48 - Prep complete
15:54:48 - Repairing Services Now. Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo\{FA88062C-9A61-4C1E-AC45-7143F8F01AAD}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap\{8AD2FB26-F91E-44F1-9B24-3C0AE56C9CE0}>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\Isatap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters\IPHTTPS>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\DHCP>
ERROR: Writing SD to <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\DHCP> failed with: The system cannot find the file specified.
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch2>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo\0>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\TriggerInfo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Win7\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
15:54:50 - Services Repair Complete.
15:54:52 - Reboot Initiated


onto step 3
  • 0

#21
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Step 3


ComboFix 13-06-17.01 - Reception 17/06/2013 16:04:48.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.3005.1980 [GMT 10:00]
Running from: c:\users\Reception\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\RECEPT~1\AppData\Local\Temp\9b93aee4-5d0f-43c6-98ae-ec0b1e7534ab\CliSecureRT.dll
c:\users\Reception\AppData\Local\Temp\9b93aee4-5d0f-43c6-98ae-ec0b1e7534ab\CliSecureRT.dll
c:\windows\desktop
c:\windows\desktop\EZIaccounts.url
c:\windows\system32\muzapp.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-05-17 to 2013-06-17 )))))))))))))))))))))))))))))))
.
.
2013-06-17 05:55 . 2013-06-17 05:55 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33CD7FAA-4A8E-4BB8-81E4-841296589530}\MpKsladc7adf6.sys
2013-06-13 01:13 . 2013-06-13 01:13 -------- d-----w- c:\users\Reception\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-06-13 01:05 . 2009-08-19 12:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-06-12 06:02 . 2013-06-08 11:41 218112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 06:02 . 2013-06-08 11:13 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-11 21:37 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-11 21:37 . 2013-05-10 03:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-11 21:37 . 2013-04-26 04:55 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-11 21:37 . 2013-05-13 03:08 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-11 21:37 . 2013-05-13 04:45 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-11 21:37 . 2013-05-13 04:45 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-11 21:37 . 2013-05-13 04:45 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-11 21:37 . 2013-05-13 03:08 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-11 21:37 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-11 21:37 . 2013-05-06 05:06 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-11 21:37 . 2013-05-06 05:06 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-11 21:37 . 2013-05-08 05:38 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-11 05:08 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33CD7FAA-4A8E-4BB8-81E4-841296589530}\mpengine.dll
2013-06-10 21:46 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-31 05:56 . 2013-05-31 05:56 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-05-21 04:53 . 2013-05-21 04:53 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ACC582E0-E6A3-4B0E-9479-6975BBDE643C}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 15:28 . 2010-08-16 19:47 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-01 22:10 . 2013-05-01 22:10 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-24 05:07 . 2012-10-21 20:48 706640 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-04-13 04:45 . 2013-05-15 21:41 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 21:41 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-23 21:33 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 21:40 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 21:40 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 21:41 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-03-20 05:05 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KiesHelper"="c:\program files\Samsung\Kies\KiesHelper.exe" [2011-04-28 934800]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2011-04-28 3373968]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2011-04-28 19856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-21 7858720]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-05-07 210216]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-07 642664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-23 887976]
"FileOpenBroker"="c:\program files\FileOpen\Services\FileOpenBroker32.exe" [2012-04-30 836480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-03-20 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-05-25 96488]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-05-25 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-05-25 121576]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-17 1343400]
S1 MpKsladc7adf6;MpKsladc7adf6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{33CD7FAA-4A8E-4BB8-81E4-841296589530}\MpKsladc7adf6.sys [2013-06-17 29904]
S2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe [2012-04-30 213888]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-05-28 233472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-17 383264]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-05 224424]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-05-28 36608]
S3 SNXPCARD;SUNIX Multi-I/O Card Driver;c:\windows\system32\DRIVERS\snxpcard.sys [2010-12-02 49016]
S3 SNXPPALX;SUNIX Parallel Port Driver;c:\windows\system32\DRIVERS\snxppalx.sys [2010-12-03 86392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - FSUSBEXDISK
*NewlyCreated* - WS2IFSL
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-06 21:46 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-29 02:19]
.
2013-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-29 02:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\Samsung\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\Samsung\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2013-06-17 16:13:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-06-17 06:13
.
Pre-Run: 918,251,843,584 bytes free
Post-Run: 918,470,053,888 bytes free
.
- - End Of File - - 7FBC6076483F46F940478FA89A6AF059
A36C5E4F47E84449FF07ED3517B43A31
  • 0

#22
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks for your help so far maliprog :)

I am off home for the night, talk to you tomorrow.
  • 0

#23
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I am back online, I will be available for 6-7 hours :)
  • 0

#24
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi starwindows,

How is your system now? Any problems?
  • 0

#25
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi maliprog

MSE is working now, I can open email attachments thanks very much.
I haven't done any downloads yet, but I will tomorrow and let you know.
MSE has a bunch of quarantined files that it wants me to delete, should I?
  • 0

Advertisements


#26
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Please wait until tomorrow then. If you see everything if fine then you can remove all quarantined files. I'll prepare some cleanup for you tomorrow.
  • 0

#27
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks very much for your assistance so far :)
  • 0

#28
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Everything seems to be working fine now, I have been able to download and run programs :thumbsup:
  • 0

#29
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi starwindows,

Your logs and system are clean now. I'm glad we fix up your computer.

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [clearallrestorepoints]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
Step 2

We need to clean up your PC from programs we used.

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end.

In case that any of the software we used in this fix still remains on your system please delete it manually (Right click on it and select Delete).

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Something to read

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

2. Make Backups of Important Files

Please read this article Home Computer Data Backup.

3. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#30
starwindows

starwindows

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
All done.

Thanks so much for you assistance, I will be buying you a cup of coffee or 3 :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP