System: Running Vista Home premium, service pack 2, Toshiba Satellite A305, 2 Intel Core 2 Duo CPU, 32 bit OS, Antivirus: Microsoft Security Essentials (MSE), Firewall: Windows Firewall with Advanced Security (came with vista). I do regular updates. I’ve never made a backup (I’m an idiot).
History, Date & symptoms – 12/17/11 a fake ‘scan’ began to run on my computer (did not write down the name). Popup Windows kept popping up to tell me I had a security risk. I’d close the popup window and they would return (did this probably 30 times). I shut down the computer. When I restarted, it would not allow me access to the computer or any files. It would display an antivirus program I had not installed and tell me of threats. It told me that I had to make a purchase to update the antivirus software (I did not). I shut down my laptop and did not open for 2 months (busy holidays). Next startup I was able to gain access to the PC in normal mode (not sure why). I noticed firewall was turned off and would not allow me to turn on. I had internet access, but turned of wireless based on fear. Antivirus MSE would run and found files (sorry did not write all down) but listed Sirefef N and J. Files removed or quarantined per instructions. Later MES would never start again and never had internet access again either.
Present:
Starting in normal mode results in blue screen. Blue screen Message: IRQL_NOT_LESS_OR_EQUAL, technical message - ***STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000001, 0x8324983C)
Starting in safe mode – I can connect to network, but not internet. In safe mode I was able to move all of my photos/music/videos/excel and word documents to an external hard drive. I scanned this hard drive and it says there is no Malware, but should I trust these files now?
Firewal Error Message: “The Windows Firewall with Advanced Security snap-in failed to load. Restart the windows Firewall service on the computer that you are managing. Error code 0x6D9”
Can’t install new firewall. Message: Cannot install Error 1601. The windows Installer Service could not be accessed. This can occur if the windows Installer is not correctly installed. Contact support…
Cannot turn on antivirus (MSE). Message: Security Essentials couldn’t turn on real-time protection. This operation returned because the timeout period expired. Click Help for more information about this problem. Error Code 0X800705b4. I did download the newest definitions (Microsoft site) via another computer and it did update, but still will not turn on.
Cannot install new antivirus software. Message: Installation of the Microsoft Runtime Redistributable Kit has failed. The probable cause is a Windows update running in parallel. Please check whether a Windows update is in progress and run setup later.
I read on your forum not to run anything (scans, etc). That said, I visited a lot of forums before your site and tried to fix this based on their advice. Here are the scans and programs I tried in order:
ATF cleaner, DDS.scr, GMER, Microsoft Windows Malicious Software removal Tool, Malwarebytes Anti-Malware, Super AntiSpyware, HitmanPro35, startup repair tool, Microsoft support emergency response tool, updated MSE definitions but MSE would not turn on
DDS LOG (do not know if I have any onboard script blocking tools to disable and wouldn’t know how – please advise if I need to do something)
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by OWNER at 10:19:10 on 2012-02-25
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.2354 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\OWNER\Desktop\avira_free_antivirus_en.exe
C:\Users\OWNER\AppData\Local\Temp\RarSFX4\presetup.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mStart Page = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Skytel] Skytel.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ZoneAlarm Installer] "c:\program files\checkpoint\install\launcher.exe" "c:\program files\checkpoint\install\install.exe" /r download /c "c:\program files\checkpoint\install\Install.xml" /w
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\launch~1.lnk - c:\users\owner\appdata\roaming\microsoft\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{FF760607-1879-4406-AC47-128752A558DA} : NameServer = 4.2.2.2,4.2.2.3
TCP: Interfaces\{FF760607-1879-4406-AC47-128752A558DA} : DhcpNameServer = 192.168.0.1
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\91dje0pe.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\owner\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\owner\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\91dje0pe.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-2-25 237632]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-2-25 338880]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-11-23 1052472]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2012-2-18 228208]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
S1 SASDIFSV;SASDIFSV;c:\users\owner\appdata\local\temp\sas_selfextract\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\users\owner\appdata\local\temp\sas_selfextract\saskutil.sys [2011-7-12 67664]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2012-2-25 235472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2012-2-25 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2012-2-25 1145816]
S2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-7 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 libusb0;LibUsb-Win32 - Kernel Driver 07/07/2009, 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2009-7-7 28160]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-9 21520]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-20 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-25 15:00:10 -------- d-----w- C:\2a990e7f250e8fb87fc445
2012-02-25 05:08:07 767952 ----a-w- c:\windows\BDTSupport.dll
2012-02-25 05:08:06 739280 ----a-w- c:\windows\PCTBDRes.dll
2012-02-25 05:08:06 1865680 ----a-w- c:\windows\PCTBDCore.dll
2012-02-25 05:08:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-02-25 04:41:58 6552120 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8536532b-9644-4568-a423-e18791ef8b9e}\mpengine.dll
2012-02-25 00:51:27 -------- d-----w- c:\program files\Uniblue
2012-02-25 00:50:20 -------- d-----w- c:\users\owner\appdata\roaming\Uniblue
2012-02-25 00:50:17 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-02-24 22:45:37 -------- d-----w- c:\programdata\PC Tools
2012-02-24 22:45:36 -------- d-----w- c:\users\owner\appdata\roaming\TestApp
2012-02-21 05:24:53 -------- d-----w- c:\users\owner\appdata\local\Adobe
2012-02-21 03:38:14 -------- d-----w- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2012-02-21 03:38:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-21 03:34:46 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-02-21 03:34:12 -------- d-----w- c:\programdata\Hitman Pro
2012-02-20 04:41:12 -------- d-----w- c:\programdata\Comodo
2012-02-20 04:41:01 -------- d-----w- c:\program files\Comodo
2012-02-20 04:16:58 -------- d-----w- c:\users\owner\appdata\local\Apple Computer
2012-02-20 02:59:30 -------- d-----w- c:\program files\CheckPoint
2012-02-18 15:46:05 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{185940d5-d3e7-49b6-aa83-d79cefdb1675}\gapaengine.dll
2012-02-18 15:42:52 2048 ----a-w- c:\windows\system32\tzres.dll
2012-02-18 15:42:37 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-18 15:35:05 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-02-18 15:35:05 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-02-18 15:35:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2012-02-18 15:34:57 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
==================== Find3M ====================
.
2012-01-29 10:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-12 19:52:56 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 16:17:47 680448 ----a-w- c:\windows\system32\msvcrt.dll
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 10:20:11.36 ===============
Post exceeded 50000 character so will post second log next
