Please help with Win32:Sirefef-ZT [trj]

[Storyteller]

Hi all!

Brand new, and registered because I've caught Win32:Sirefef-ZT [trj] according to the last Avast Scan. Avast's File System Shield also claims that I have a Win32:trojan-gen and Win32:ZAccess-IJ. I also had AVG on the system for a while and it kept claiming that Patched.A was on the system.

I have no idea whether these are all separate, linked together or what--but I know it all hit within the last day. Exactly -how- I have absolutely no idea, as I'm paranoid about sites.

But I've tried the obvious (boot scans, deep scans), so I'm sure I will need to post logs and run programs at y'alls requests. But please, please help.

Thanks!

[adotd]

Hi Storyteller

Welcome to the forums

Follow this guide and attach (not copy
and paste) the requested logs

forum.avast.com/index.php?
topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR
farbar service scanner

Then help will arrive later today

Anthony

[CraigB]

Hi Storyteller

Welcome to the forums

Follow this guide and attach (not copy
and paste) the requested logs

forum.avast.com/index.php?
topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR
farbar service scanner

Then help will arrive later today

Anthony

Live link to the logs required http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

[Storyteller]

Okay. I believe I have run and attached everything correctly.

However, as this forum only lets me attach 4 things, I'm going to do it in two posts. I'm also a little unclear (based on the thread people linked me to) whether it was all supposed to be attached or if some was supposed to be pasted. So I'll attach everything and then post what that thread said to copy/paste.

If I've done something wrong, I will update as needed.

So this post includes the AdwCleaner and Malwarebytes attached, with the Malwarebytes also pasted below:

ST

***

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.11.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Admin :: DAVROS [administrator]

9/11/2012 3:07:48 AM
mbam-log-2012-09-11 (03-07-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224415
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\Installer\{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}\U\80000000.@ (Rootkit.0Access.64) -> Quarantined and deleted successfully.

(end)

***

[essexboy]

Hi the OTL log will be the main analysis tool, once posted I will craft a fix

[Storyteller]

Okay, file too large. Posting everything else one at a time.

OTL file.

[Storyteller]

Extras.

[Storyteller]

aswMBR attached and farbar service scanner posted below.


****
Farbar Service Scanner Version: 06-08-2012
Ran by Admin (administrator) on 11-09-2012 at 05:01:37
Running from "C:\Users\Admin\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[essexboy]

This should get the majority in one go

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
[2011/12/25 13:32:51 | 000,001,516 | -HS- | C] () -- C:\Users\Admin\AppData\Local\47yei07465b2kg156550643h
[2011/12/25 13:32:51 | 000,001,516 | -HS- | C] () -- C:\ProgramData\47yei07465b2kg156550643h
@Alternate Data Stream - 172 bytes -> C:\Users\Admin\Documents\letter.tiff:3or4kl4x13tuuug3Byamue2s4b

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

:Files
C:\Windows\Installer\{c15e4c1c-515e-9835-656f-c2fe27cd7ae5}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

• Download RogueKiller  and save it on your desktop.
   
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please post:    All RKreport.txt text files located on your desktop.

FINALLY

Download the zip file from the link below to your desktop
https://dl.dropbox.com/u/73555776/Storyteller.zip
Extract all seven reg files to the desktop
Double click each in turn and allow to merge

[Storyteller]

Okay. Here's the outcomes step by step.

1. Did the OTL Custom Scan and Quick Scan. Log is attached.

[Storyteller]

2. Did Rogue Killer Scan. Here is the report:

***
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 09/11/2012 09:51:55

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> FOUND
[TASK][SUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (91.103.185.182:80) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\L --> FOUND
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] d760bca64d2df6e3d9c8275abccfc747
[BSP] 7752497b2ef9e0758957a6d617e08907 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



3. Did the Delete. It did ask for a reboot in the process. Have no idea if it should have or not. Here is the report:

***
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove -- Date : 09/11/2012 09:55:19

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7} (\??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl) -> DELETED
[TASK][SUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (91.103.185.182:80) -> NOT REMOVED, USE PROXYFIX
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\n.) -> REPLACED (C:\Windows\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\n.) -> REPLACED (C:\Windows\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\@ --> REMOVED
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$c15e4c1c515e9835656fc2fe27cd7ae5\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-2154949661-1451629380-1476358773-1000\$c15e4c1c515e9835656fc2fe27cd7ae5\L --> REMOVED
[Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe)

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] d760bca64d2df6e3d9c8275abccfc747
[BSP] 7752497b2ef9e0758957a6d617e08907 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


4. Then I ran the Fix Shortcuts. Report below:

***
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/11/2012 10:02:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 653 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 8 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 2408 / Fail 0
My documents: Success 1879 / Fail 1879
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 889 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 150 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[J:] \Device\CdRom1 -- 0x5 --> Skipped

¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[Storyteller]

Last, I downloaded the zip file and extracted to the desktop.

Each time I double clicked the file, it warned me that "Adding information can unintentionally change or delete values and cause components to stop working correctly.  If you do not trust the source of this information in (location/file I'd double-clicked), do not add it to the registry."

It then asked me if I wanted to continue. I said yes and it said that each was successfully added to the registry EXCEPT for one file:
SharedAccess.reg

When I said yes to that one, it gave an error:
Cannot import C:\Users\Admin\Desktop\SharedAccess.reg: Error accessing the registry.


So that's what I've done.

[essexboy]

OK looks like RK did a nice job

Lets check out shared access

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[Storyteller]

Okay done. Here's the log--by the way, should I be worried that when it tried to check the Shared Access service, it ran into trouble--the same thing that I hit an error on with the reg files?

***
Farbar Service Scanner Version: 06-08-2012
Ran by Admin (administrator) on 11-09-2012 at 12:13:15
Running from "C:\Users\Admin\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[essexboy]

OK we will have to run a repair

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished