Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

XP infected w Sirefef.ah & Sirefef.ac need help pls

Started by davidad , Apr 27 2012 01:50 AM

This topic is locked

62 replies to this topic

#1 davidad

Member

Members
61 posts

Gender:Male

Posted 27 April 2012 - 01:50 AM

Hello. I am davidad. I posted a new topic in the "Am I infected" Forum today under topic 451519. I was directed to access a "Guide for use before using Malware Removal Tools under topic 34773 by "Broni", starting with Step 6 of the Guide. Also, I believe I have a similar if not identical problem that a user named MarkP had..in topic450849, in which Broni helped and in a later topic 451285 in which Gringo helped.

I have an XP that got infected with Sirefef.ac and Sirefef.ah. Once in a while, I got a redirect though haven't gotten it in a while, probably cause MSE is removing them. I know I have the these sirefefs cause I see the MSE history which I will also listed an abstract at the end. I've read these items are very severe and regular anti-virus or malware software can't remove them permanently. So, I need your help!

I already had MSE and Malwarebytes Anti-malware. MSE actively scans and does a daily full scan while I have to run MBAM manually every few days. MSE detects the Sirefef.ac and ah every day and then removes them (I got this about 5 days ago. I can't get rid of these and really need your help. I've tried running many software items, including ESET, Kapersky's TDSS Killer, HitManPro, ccleaner, etc to no avail.

Also, in general my machine is slow sometimes loading web pages, sometimes MBAM or a web page shows in task manager as not responding and then eventually it starts functionning. So, my computer seems slow (maybe it had previous malware) and now it has the sirefef.ac and ah. Also, when a run MBAM, it can take 3 hours to run a full scan and when MSE does a full scan, it can and does take hours, like between 6-8 sometimes, if not more. This seems too long and don't know how to fix this. I did download ccleaner and windoctor a while ago and it helped a litte.

Please assist.

Ok tonight, I ran DeFogger and it seemed to go fine. When it was finished, I pressed ok, without being asked to reboot. I then pressed "X" to close it without any problem. I downloaded DDS and was able to get both logs.

Here is DDS TXT. Separately, I attached the attach.txt file generated by DDS.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Family Login at 22:39:38 on 2012-04-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.384.78 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\HitmanPro\hmpsched.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msnbc.com/
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe
IE: &Search
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{C3F5B8F4-0633-4E20-983B-D2B490E87D7A} : DhcpNameServer = 167.206.254.1 167.206.254.2
Notify: TPSvc - TPSvc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2012-4-20 101112]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2011-2-16 3744]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-4-21 105288]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2011-2-16 3904]
R3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2006-10-18 63360]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-22 40776]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [2006-10-18 128000]
RUnknown MpKsld7b2a360;MpKsld7b2a360; [x]
.
=============== Created Last 30 ================
.
2012-04-26 19:18:58 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c1b7cdc0-2439-4ad1-a290-f1f519cdf42c}\mpengine.dll
2012-04-23 04:39:39 -------- d-----w- C:\TDSSKiller items
2012-04-22 15:55:42 -------- d-----w- c:\program files\ESET
2012-04-22 13:55:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-21 16:43:11 -------- d-----w- c:\program files\HitmanPro
2012-04-21 16:42:04 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-04-21 01:34:23 -------- d-----w- C:\sh4ldr
2012-04-21 01:27:39 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-04-21 01:26:46 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-04-21 01:11:45 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-21 01:11:43 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-04-21 01:10:15 -------- d-----w- c:\program files\common files\iS3
2012-04-21 01:09:29 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2012-04-20 06:46:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-11 18:56:36 73104 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2012-04-04 17:13:38 23376 ----a-r- c:\windows\system32\SZIO5.dll
2012-04-04 17:13:26 546640 ----a-r- c:\windows\system32\SZComp5.dll
2012-04-04 17:13:22 481104 ----a-r- c:\windows\system32\SZBase5.dll
2012-03-31 15:36:16 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2012-03-31 15:35:32 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
.
==================== Find3M ====================
.
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50:30 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50:54 369664 ----a-w- c:\windows\system32\html.iec
2012-02-26 05:44:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-26 05:44:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-24 19:28:26 99728 ----a-r- c:\windows\system32\drivers\SZKG.sys
2012-02-24 19:28:26 99728 ----a-r- c:\windows\system32\drivers\is3srv.sys
2012-02-23 18:09:44 29008 ----a-r- c:\windows\system32\IS3XDat5.dll
2012-02-23 18:09:42 390992 ----a-r- c:\windows\system32\IS3UI5.dll
2012-02-23 18:09:42 231248 ----a-r- c:\windows\system32\IS3Win325.dll
2012-02-23 18:09:40 100176 ----a-r- c:\windows\system32\IS3Svc5.dll
2012-02-23 18:09:34 132944 ----a-r- c:\windows\system32\IS3HTUI5.dll
2012-02-23 18:09:34 104272 ----a-r- c:\windows\system32\IS3Inet5.dll
2012-02-23 18:09:32 67408 ----a-r- c:\windows\system32\IS3Hks5.dll
2012-02-23 18:09:32 456528 ----a-r- c:\windows\system32\IS3DBA5.dll
2012-02-23 18:09:30 808784 ----a-r- c:\windows\system32\IS3Base5.dll
2012-02-23 14:18:36 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:42:32.10 ===============

I ran GMER from the first link listed in the Guide. It took about 4 hours long and I believe it finished since my machine was busy and making noises (like searching, like the computer was working) for hours and now it is quiet. There were only five lines listed on the GMER screen. I attached the ark.txt below.

MSE History Abstract

Finally, here is a listing of what was detected and shown from MSE History from the most recent time MSE detected and removed the sirefef.ah. I see once a day, usually the .ah file is detected and removed.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll->EWS->1.cod

Ok. That is it for now. I believe I followed all directions and instructions re running software, adding logs or attachments, and posting correctly.

Please help and thank you very much.

Kind regards,

davidad

Attached Files

attach.txt 16.17K 3 downloads
ark.txt 1.46K 1 downloads

BC Ads
BleepingComputer.com

#2 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 27 April 2012 - 02:01 AM

Hello davidad and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
- Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.
- Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

These items below that are being detected by MSE as being infected are currently in your System Restore. We will remove them later when we clean-up our tools and flush the old restore points out.

Items:
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll->EWS->1.cod

=======================

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

NEXT:

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

NEXT:

Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

NEXT:

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

NEXT:

Running OTL

We need to create a New FULL OTL Report

Please download OTL from here if you have not done so already:
- Main Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Change the "Extra Registry" option to "SafeList"

Copy and Paste the following code into the Posted Image

textbox.

msconfig
safebootminimal
activex
drivers32
netsvcs
CreateRestorePoint
"%WinDir%\$NtUninstallKB*$." /30
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
tdx.sys
afd.sys
netbt.sys
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. aswMBR log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 davidad

Member

Members
61 posts

Gender:Male

Posted 27 April 2012 - 08:51 AM

Hello ST,

Thanks very much for responding! And I look forward to working with you. I now have set the profile on this issue to notify me immediately when there is a response so I will look to respond very timely. Also, apologies for sending attachments and not embedding their contents in the reply window. I followed the instructions provided me earlier..to attach the two items but going forward, I will put log contents into the reply window.

As for direction, I will proceed to do a clean up and will do so later today when I have access to my machine. I have a couple of questions/update items for you.

1) I thought the Sirefef.ac and Sirefef.ah trojans/viruses? were what had infected my machines, not ZeroAccess (Max) and thought they did redirects to other web sites. Are these two items just other names for this ZeroAccess? Does this ZeroAccess do redirects and potentially log keystrokes, steal pws, etc?

2) If my computer is on but no internet explorer program is open (meaning I am not online), can someone "get into" my computer or make it online? Should I keep it off or is it ok to keep it on? Also, can I use the computer i.e. to get on line or make a spreadsheet?

3) I have MSE already installed and if its status shows green and protecting the computer, is the computer safe (since at least as of that specific time, the sirefef.ac & .ah are indicated in the MSE history to have been removed? Or, is the computer totally exposed even when MSE shows green and the sirefefs removed?

4) Should I install any other protection now or is MSE adequate? (FYI, I also have MBAM installed though this doesn't run automatically..only runs when I double click on the icon to run (& update definitions).

5) You noted in your #5 I should not run spyware scans unless you ask. So, just to confirm, I will not run MBAM at all going forward unless you advise me to, correct? Is it ok that MSE continues to run / protect my computer automatically? I'm sure that today, it will again detect and remove the Sirefef items, at least the .ah one.

6) Though I don't use it a lot for accessing bank data, I have previously so I did change passwords for those already.

Thanks again in advance for your help and patience.

Regards,

Davidad

#4 davidad

Member

Members
61 posts

Gender:Male

Posted 27 April 2012 - 11:05 PM

Hello ST,

Ok. Here's an update. I downloaded and ran all three programs you requested. Th 1st and third took a while to run and at times, task manager showed them as not responding. I just waited and eventually they completed.

1. As for questions, please see my previous message from earlier today with questions I need your help with.

2. ASWMBR log - Please see below.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-27 22:25:22
-----------------------------
22:25:22.292 OS Version: Windows 5.1.2600 Service Pack 3
22:25:22.292 Number of processors: 1 586 0x502
22:25:22.292 ComputerName: DAMONFAMILY01 UserName: Family Login
22:25:26.948 Initialize success
22:31:50.350 AVAST engine defs: 12042701
22:33:14.030 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:33:14.030 Disk 0 Vendor: ST320414A 3.28 Size: 19092MB BusType: 3
22:33:14.050 Disk 0 MBR read successfully
22:33:14.050 Disk 0 MBR scan
22:33:14.360 Disk 0 Windows XP default MBR code
22:33:14.380 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19084 MB offset 63
22:33:14.521 Disk 0 scanning sectors +39085200
22:33:14.721 Disk 0 scanning C:\WINDOWS\system32\drivers
22:34:22.999 Service scanning
22:34:58.961 Service MpKsl81c55132 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{466D36BD-668D-457D-8B0C-855B2D88C94F}\MpKsl81c55132.sys **LOCKED** 32
22:35:46.780 Modules scanning
22:36:08.230 Disk 0 trace - called modules:
22:36:08.260 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
22:36:08.661 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b92030]
22:36:08.661 3 CLASSPNP.SYS[f76fefd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82ba4700]
22:36:10.153 AVAST engine scan C:\WINDOWS
22:36:21.530 AVAST engine scan C:\WINDOWS\system32
22:50:56.748 AVAST engine scan C:\WINDOWS\system32\drivers
22:52:05.287 AVAST engine scan C:\Documents and Settings\Family Login
22:58:07.357 AVAST engine scan C:\Documents and Settings\All Users
23:09:42.156 Scan finished successfully
23:12:05.693 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Family Login\Desktop\MBR.dat"
23:12:05.783 The log file has been saved successfully to "C:\Documents and Settings\Family Login\Desktop\aswMBR.txt"

3. Farbar Service Scanner log - Please see below.

Farbar Service Scanner Version: 24-04-2012
Ran by Family Login (administrator) on 27-04-2012 at 23:14:22
Running from "C:\Documents and Settings\Family Login\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) MDC8021X(9) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

4. OTL.txt & Extra.txt logs. Please see below.

4a. OTL.txt

OTL logfile created on: 4/27/2012 11:17:52 PM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Documents and Settings\Family Login\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.55 Mb Total Physical Memory | 172.76 Mb Available Physical Memory | 45.04% Memory free
986.29 Mb Paging File | 746.46 Mb Available in Paging File | 75.68% Paging File free
Paging file location(s): C:\pagefile.sys 640 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 8.79 Gb Free Space | 47.14% Space Free | Partition Type: NTFS

Computer Name: DAMONFAMILY01 | User Name: Family Login | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/27 23:15:55 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family Login\Desktop\OTL.exe
PRC - [2012/04/21 12:43:15 | 000,105,288 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro\hmpsched.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/05 16:10:08 | 001,056,864 | ---- | M] () -- C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

========== Modules (No Company Name) ==========

MOD - [2004/06/05 16:10:08 | 001,056,864 | ---- | M] () -- C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\crauto.dll -- (raysatxsi5_0server)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\KR10N.dll -- (lxcz_device)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\RVIEG01.dll -- (lvpr2mon)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ssrvc.dll -- (HpqRemHid)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cicsclient.dll -- (eabfiltr)
SRV - [2012/04/21 12:43:15 | 000,105,288 | ---- | M] (SurfRight B.V.) [Auto | Running] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV - [2012/04/04 13:13:18 | 000,067,408 | ---- | M] (iS3, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\FAMILY~1\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2012/04/27 22:25:25 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{466D36BD-668D-457D-8B0C-855B2D88C94F}\MpKsl81c55132.sys -- (MpKsl81c55132)
DRV - [2012/04/26 00:32:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/01/12 09:26:20 | 000,101,112 | R--- | M] (GFI Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2009/07/17 09:23:00 | 000,476,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dr71WU.sys -- (RT73)
DRV - [2004/06/04 14:12:10 | 000,379,488 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111nd5.sys -- (wg111nd5)
DRV - [2004/05/20 10:46:42 | 000,016,292 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)
DRV - [2004/05/20 10:46:38 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/03/05 18:09:02 | 000,003,904 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\CheckIt\Diagnostics\MAPMEM.SYS -- (MAPMEM)
DRV - [2004/03/05 18:09:00 | 000,003,744 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\CheckIt\Diagnostics\BCMNTIO.SYS -- (BCMNTIO)
DRV - [2001/08/17 08:49:00 | 000,075,136 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atimpae.sys -- (atirage3)
DRV - [2001/08/17 08:19:56 | 000,063,360 | ---- | M] (ESS Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ess.sys -- (ess) ESS Audio Driver (WDM)
DRV - [2001/08/17 08:11:38 | 000,128,000 | ---- | M] (Compaq Computer Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\n100325.sys -- (N100)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-813497703-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
IE - HKU\S-1-5-21-839522115-813497703-1060284298-1003\..\SearchScopes,DefaultScope = {56256A51-B582-467e-B8D4-7786EDA79AE0}
IE - HKU\S-1-5-21-839522115-813497703-1060284298-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-839522115-813497703-1060284298-1003\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" =
IE - HKU\S-1-5-21-839522115-813497703-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: File not found

[1980/01/04 00:26:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Family Login\Application Data\Mozilla\Extensions

Hosts file not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Application Data [2012/04/21 12:42:04 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Desktop [2012/04/21 12:43:15 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\Documents [2006/10/18 23:45:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\All Users\DRM [2006/10/18 23:42:07 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Documents and Settings\All Users\Favorites [2006/10/18 18:43:49 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu [2010/11/27 12:05:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\All Users\Templates [2006/10/18 18:43:49 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Default User\Application Data [2006/10/18 18:43:49 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Default User\Cookies [2012/04/11 13:50:47 | 000,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\Default User\Desktop [2006/10/18 18:43:49 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\Default User\Favorites [2006/10/18 18:43:49 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\Default User\Local Settings [2006/10/18 18:43:49 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Default User\My Documents [2006/10/18 18:43:49 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\Default User\NetHood [2006/10/18 18:43:49 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Default User\PrintHood [2006/10/18 18:43:49 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Default User\Recent [2006/10/18 18:43:49 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Default User\SendTo [2006/10/18 22:57:50 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Default User\Start Menu [2006/10/18 18:43:49 | 000,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\Default User\Templates [2006/10/18 22:52:46 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\Application Data [2012/04/01 12:56:18 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\Cookies [2012/04/27 22:07:19 | 000,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\Family Login\defogger_reenable ()
O4 - Startup: C:\Documents and Settings\Family Login\Desktop [2012/04/27 23:16:06 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\Favorites [2012/04/20 23:51:20 | 000,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\Family Login\hob [2012/02/26 01:49:18 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\Family Login\IETldCache [2010/08/24 21:14:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Documents and Settings\Family Login\Local Settings [2010/08/23 12:01:07 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\My Documents [2012/04/23 00:36:50 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\NetHood [2012/03/18 15:55:31 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\NTUSER.DAT ()
O4 - Startup: C:\Documents and Settings\Family Login\ntuser.dat.LOG ()
O4 - Startup: C:\Documents and Settings\Family Login\ntuser.ini ()
O4 - Startup: C:\Documents and Settings\Family Login\PrintHood [2006/10/18 18:43:49 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\PrivacIE [2010/08/24 21:33:05 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Documents and Settings\Family Login\Recent [2012/04/27 23:21:46 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\SendTo [2006/10/18 23:08:46 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\Start Menu [2006/10/18 18:43:49 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\Templates [2006/10/18 22:52:46 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Family Login\UserData [2012/04/27 22:13:08 | 000,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\LocalService\Application Data [2006/10/18 23:07:30 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\Cookies [2006/10/18 23:07:32 | 000,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\LocalService\Local Settings [2006/10/18 23:07:31 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\LocalService\NTUSER.DAT ()
O4 - Startup: C:\Documents and Settings\LocalService\ntuser.dat.LOG ()
O4 - Startup: C:\Documents and Settings\LocalService\ntuser.ini ()
O4 - Startup: C:\Documents and Settings\LocalService\Start Menu [2006/10/19 01:06:08 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\NetworkService\Application Data [2012/04/20 02:59:44 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\NetworkService\Cookies [2012/04/21 23:23:29 | 000,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\NetworkService\Local Settings [2006/10/18 23:07:30 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\NetworkService\NTUSER.DAT ()
O4 - Startup: C:\Documents and Settings\NetworkService\ntuser.dat.LOG ()
O4 - Startup: C:\Documents and Settings\NetworkService\ntuser.ini ()
O4 - Startup: C:\Documents and Settings\NetworkService\UserData [2012/04/20 02:58:28 | 000,000,000 | --SD | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-813497703-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-839522115-813497703-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-839522115-813497703-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.254.1 167.206.254.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C3F5B8F4-0633-4E20-983B-D2B490E87D7A}: DhcpNameServer = 167.206.254.1 167.206.254.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Family Login\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Family Login\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/18 23:00:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-839522115-813497703-1060284298-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: FlashPlayerUpdate - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: HostManager - hkey= - key= - C:\Program Files\Common Files\AOL\1162161876\ee\aolsoftware.exe (America Online, Inc.)
MsConfig - StartUpReg: IPHSend - hkey= - key= - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: ViewMgr - hkey= - key= - Reg Error: Value error. File not found

SafeBootMin: 84333561.sys - Driver
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1325db73-d9f1-48f8-8895-6d814ec58889} - Security Update for Windows XP (KB913433)
ActiveX: {1897C549-AE52-4571-8996-44854F5612B2} - Microsoft .NET Framework 1.1 Security Update (KB2656370)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.1.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.1.4
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3e7bb08a-a7a3-4692-8eac-ac5e7895755b} - KB834707
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player 9 ActiveX
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: eabfiltr - %systemroot%\system32\cicsclient.dll File not found
NetSvcs: lvpr2mon - %systemroot%\system32\RVIEG01.dll File not found
NetSvcs: navap - File not found
NetSvcs: lxcz_device - %systemroot%\system32\KR10N.dll File not found
NetSvcs: NVXBAR - File not found
NetSvcs: AppnBase - File not found
NetSvcs: rassstp - File not found
NetSvcs: uiusys - File not found
NetSvcs: schscnt - File not found
NetSvcs: ibmpmsvc - File not found
NetSvcs: dirms_defragmentation - File not found
NetSvcs: c-dillacdac11ba - File not found
NetSvcs: mcvsrte - File not found
NetSvcs: incdpass - File not found
NetSvcs: SED133x - File not found
NetSvcs: hprfdev - File not found
NetSvcs: clsched - File not found
NetSvcs: arrayssl_vpn_service3 - File not found
NetSvcs: 0 - File not found
NetSvcs: 1 - File not found
NetSvcs: 9 - File not found
NetSvcs: ipassconnectengine - File not found
NetSvcs: cs429x - File not found
NetSvcs: issm - File not found
NetSvcs: UPATC - File not found
NetSvcs: fasttraksvc - File not found
NetSvcs: ctdvda2k - File not found
NetSvcs: caboagp - File not found
NetSvcs: websensecamserver - File not found
NetSvcs: w200obex - File not found
NetSvcs: cxpt_service - File not found
NetSvcs: ZuneBusEnum - File not found
NetSvcs: GT680x - File not found
NetSvcs: nipxirmu - File not found
NetSvcs: paamsrv - File not found
NetSvcs: datasvr2 - File not found
NetSvcs: csctl50 - File not found
NetSvcs: MA_CMIDI - File not found
NetSvcs: NVENET - File not found
NetSvcs: trufos - File not found
NetSvcs: wap3gx - File not found
NetSvcs: mcafeeframework - File not found
NetSvcs: hcmon - File not found
NetSvcs: toddsrv - File not found
NetSvcs: ifp800 - File not found
NetSvcs: opcenum - File not found
NetSvcs: USBVCD - File not found
NetSvcs: Wuser32 - File not found
NetSvcs: icraplus - File not found
NetSvcs: zebrmdfl - File not found
NetSvcs: s3savagemx - File not found
NetSvcs: Stltrk2k - File not found
NetSvcs: forcewarewebinterface - File not found
NetSvcs: vsdatant - File not found
NetSvcs: ownershipprotocol - File not found
NetSvcs: clnt_clientman - File not found
NetSvcs: FETNDIS - File not found
NetSvcs: SlWdmSup - C:\WINDOWS\System32\drivers\slwdmsup.sys (Smart Link)
NetSvcs: R300 - File not found
NetSvcs: GoProto - File not found
NetSvcs: AlKernel - File not found
NetSvcs: vvoice - File not found
NetSvcs: Mtlmnt5 - C:\WINDOWS\System32\drivers\mtlmnt5.sys (Smart Link)
NetSvcs: vds - File not found
NetSvcs: WBHWDOCT - File not found
NetSvcs: ec2007service - File not found
NetSvcs: webdriveservice - File not found
NetSvcs: nbservice - File not found
NetSvcs: USB_NDIS_51 - File not found
NetSvcs: usnjsvc - File not found
NetSvcs: ar5211 - File not found
NetSvcs: nipsvc - File not found
NetSvcs: mozybackup - File not found
NetSvcs: k56 - File not found
NetSvcs: NetwareWorkstation - File not found
NetSvcs: dtsrvc - File not found
NetSvcs: raysatxsi5_0server - %systemroot%\system32\crauto.dll File not found
NetSvcs: HpqRemHid - %systemroot%\system32\ssrvc.dll File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1056

========== Files/Folders - Created Within 30 Days ==========

[2012/04/27 23:15:54 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Family Login\Desktop\OTL.exe
[2012/04/27 22:21:17 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Family Login\Desktop\aswMBR.exe
[2012/04/27 22:07:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Family Login\Recent
[2012/04/27 00:55:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2012/04/26 22:52:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family Login\Desktop\gmer
[2012/04/26 22:38:20 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Family Login\Desktop\dds.scr
[2012/04/23 00:39:39 | 000,000,000 | ---D | C] -- C:\TDSSKiller items
[2012/04/22 11:55:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/22 09:55:27 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/04/21 17:57:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family Login\Desktop\tdsskiller
[2012/04/21 12:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2012/04/21 12:43:11 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/04/21 12:42:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/04/20 21:34:23 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/04/20 21:26:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/04/20 21:11:45 | 000,101,112 | R--- | C] (GFI Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2012/04/20 21:11:43 | 000,042,864 | R--- | C] (GFI Software) -- C:\WINDOWS\System32\SBBD.EXE
[2012/04/20 21:10:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2012/04/20 21:09:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2012/04/20 02:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/04/20 02:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/04/11 14:56:36 | 000,073,104 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\drivers\SZKGFS.sys
[2012/04/04 13:13:38 | 000,023,376 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2012/04/04 13:13:26 | 000,546,640 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2012/04/04 13:13:22 | 000,481,104 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2012/04/01 21:06:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/31 11:36:16 | 000,104,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32spl.dll
[2012/03/31 11:35:32 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msw3prt.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/27 23:15:55 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family Login\Desktop\OTL.exe
[2012/04/27 23:13:19 | 000,337,321 | ---- | M] () -- C:\Documents and Settings\Family Login\Desktop\FSS.exe
[2012/04/27 23:12:05 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Family Login\Desktop\MBR.dat
[2012/04/27 22:21:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Family Login\Desktop\aswMBR.exe
[2012/04/27 22:05:11 | 000,001,636 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/27 21:31:09 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/04/27 21:23:17 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/27 21:23:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/26 22:50:04 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Family Login\Desktop\gmer.zip
[2012/04/26 22:38:25 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Family Login\Desktop\dds.scr
[2012/04/26 22:34:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Family Login\defogger_reenable
[2012/04/26 22:33:11 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Family Login\Desktop\Defogger.exe
[2012/04/26 00:32:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/04/24 21:41:27 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/23 00:37:32 | 000,026,578 | ---- | M] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120423_003645.reg
[2012/04/21 14:39:20 | 000,004,110 | ---- | M] () -- C:\Documents and Settings\Family Login\My Documents\log for hitman pro 2nd on apr 21 12.xml
[2012/04/21 14:33:30 | 000,000,332 | ---- | M] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120421_143318.reg
[2012/04/21 14:30:04 | 000,011,904 | ---- | M] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120421_142917.reg
[2012/04/21 12:43:15 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2012/04/21 06:34:43 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/04/20 02:57:47 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/20 02:56:00 | 000,000,691 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2012/04/11 14:56:36 | 000,073,104 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\drivers\SZKGFS.sys
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/04 13:13:38 | 000,023,376 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2012/04/04 13:13:26 | 000,546,640 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2012/04/04 13:13:22 | 000,481,104 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2012/04/01 12:59:40 | 000,002,461 | ---- | M] () -- C:\Documents and Settings\Family Login\Desktop\HiJackThis.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/27 23:13:19 | 000,337,321 | ---- | C] () -- C:\Documents and Settings\Family Login\Desktop\FSS.exe
[2012/04/27 23:12:05 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Family Login\Desktop\MBR.dat
[2012/04/27 21:23:15 | 000,002,184 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/26 22:50:02 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Family Login\Desktop\gmer.zip
[2012/04/26 22:34:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Family Login\defogger_reenable
[2012/04/26 22:34:27 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Family Login\Desktop\Defogger.exe
[2012/04/25 23:17:29 | 000,001,636 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/23 00:36:50 | 000,026,578 | ---- | C] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120423_003645.reg
[2012/04/21 14:39:20 | 000,004,110 | ---- | C] () -- C:\Documents and Settings\Family Login\My Documents\log for hitman pro 2nd on apr 21 12.xml
[2012/04/21 14:33:25 | 000,000,332 | ---- | C] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120421_143318.reg
[2012/04/21 14:29:33 | 000,011,904 | ---- | C] () -- C:\Documents and Settings\Family Login\My Documents\cc_20120421_142917.reg
[2012/04/21 12:43:15 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2012/04/20 02:46:07 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/15 04:17:29 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/02 13:27:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Iqizuvupoqoxevu.bin
[2011/02/02 13:27:15 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rxasarorohuge.dat

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/10/18 18:42:22 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2006/10/18 18:42:22 | 000,630,784 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2006/10/18 18:42:22 | 000,380,928 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2012/02/24 15:28:26 | 000,099,728 | R--- | M] (iS3 Inc.) -- C:\WINDOWS\system32\drivers\is3srv.sys
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2012/04/26 00:32:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2012/02/24 15:28:26 | 000,099,728 | R--- | M] (iS3 Inc.) -- C:\WINDOWS\system32\drivers\SZKG.sys
[2012/04/11 14:56:36 | 000,073,104 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\system32\drivers\SZKGFS.sys

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AFD.SYS >
[2011/08/17 09:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\dllcache\afd.sys
[2011/08/17 09:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\drivers\afd.sys
[2008/04/13 15:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2008/04/13 15:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2011/02/16 09:22:48 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=355556D9E580915118CD7EF736653A89 -- C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2008/10/16 11:07:58 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=38D7B715504DA4741DF35E3594FE2099 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008/08/14 06:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2008/08/14 05:51:43 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=55E6E1C51B6D30E54335750955453702 -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2004/08/03 23:14:16 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys
[2008/08/14 05:48:52 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=6A0397376853E604DE8E1E7A87FC08AC -- C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys
[2008/10/16 10:43:01 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7618D5218F2A614672EC61A80D854A37 -- C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2008/08/14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys
[2008/08/14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011/02/16 09:25:05 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=8D499B1276012EB907E7A9E0F4D8FDA4 -- C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2008/06/20 06:44:38 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=944CA435BFCFC82CC1ED9E3A7D731AA9 -- C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys
[2008/06/20 07:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008/06/20 06:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008/06/20 07:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008/06/20 07:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2011/08/17 09:41:46 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=F6B7B1ECD7B41736BDB6FF4B092BCB79 -- C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/11/27 11:26:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2010/11/27 11:26:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: NETBT.SYS >
[2004/08/03 23:14:38 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\dllcache\netbt.sys
[2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/03 23:00:18 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2001/08/23 08:00:00 | 000,090,112 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2008/04/13 20:12:35 | 000,045,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2001/08/23 08:00:00 | 000,090,112 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

< End of report >

4b. Extras.txt

OTL Extras logfile created on: 4/27/2012 11:17:52 PM - Run 1
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Documents and Settings\Family Login\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.55 Mb Total Physical Memory | 172.76 Mb Available Physical Memory | 45.04% Memory free
986.29 Mb Paging File | 746.46 Mb Available in Paging File | 75.68% Paging File free
Paging file location(s): C:\pagefile.sys 640 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 8.79 Gb Free Space | 47.14% Space Free | Partition Type: NTFS

Computer Name: DAMONFAMILY01 | User Name: Family Login | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hta [@ = htafile] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-839522115-813497703-1060284298-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1162161876\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1162161876\ee\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1162161876\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1162161876\ee\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{21B9CC18-8AB7-402F-B343-CD2127FC3CFC}" = NETGEAR WG111 Software
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E1D975D-9BF3-43CF-AA30-7186CEE3D9DE}" = STOPzilla
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"CCleaner" = CCleaner
"CheckIt Diagnostics" = CheckIt Diagnostics
"ESET Online Scanner" = ESET Online Scanner v3
"HitmanPro36" = HitmanPro 3.6
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Doctor 2.7.2_is1" = Windows Doctor 2.7.2
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-839522115-813497703-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/27/2012 9:23:25 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 9:23:25 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 9:23:25 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 9:23:25 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 11:03:34 PM | Computer Name = DAMONFAMILY01 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/27/2012 11:07:29 PM | Computer Name = DAMONFAMILY01 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8304.0, P5 fixed, P6 1 _ 512, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/27/2012 11:11:26 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 11:11:26 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 11:11:26 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 4/27/2012 11:11:26 PM | Computer Name = DAMONFAMILY01 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 4/26/2012 10:59:47 PM | Computer Name = DAMONFAMILY01 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 4/27/2012 10:05:20 AM | Computer Name = DAMONFAMILY01 | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AH&threatid=2147655284

Name:
Trojan:Win32/Sirefef.AH ID: 2147655284 Severity: Severe Category: Trojan Path: containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll;containerfile:_C:\System
Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll;containerfile:_C:\System

Detection
Origin: %%845 Detection Type: %%822 Detection Source: %%815 User: NT AUTHORITY\SYSTEM

Process
Name: Unknown Action: %%808 Action Status: No additional actions required Error Code:
0x80070021 Error description: The process cannot access the file because another
process has locked a portion of the file. Signature Version: AV: 1.125.627.0, AS:
1.125.627.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8304.0, NIS: 0.0.0.0

Error - 4/27/2012 9:23:09 PM | Computer Name = DAMONFAMILY01 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 4/27/2012 9:23:09 PM | Computer Name = DAMONFAMILY01 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The STOPzilla Service service terminated with the following error:
%%126

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The Prismxl service terminated with the following error: %%126

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The Beatjammusicstreamingserver service terminated with the following
error: %%126

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The Cpqfws2e service terminated with the following error: %%126

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The Caili service terminated with the following error: %%126

Error - 4/27/2012 9:25:20 PM | Computer Name = DAMONFAMILY01 | Source = Service Control Manager | ID = 7023
Description = The Ssmdrv service terminated with the following error: %%126

< End of report >

5. How is my computer currently running?

As of now, I see no significant changes from previously. I check MSE and I see the daily detection (quarantining) and removal of the Sirefef.ah and/or Sirefef.ac trojans that's been going on since I got these like 5 days ago. I've attached a file to show you recent MSE history listings of what MSE removed. I tried pasting a print screen here but was unable so apologies for any inconvenience. I thought it might be useful to see what MSE has removed.

As for performance, my computer is slow at times and has been for a while. I don't know why. Normally only MSE and MBAM are on it and only MSE is "on" all the time. Many times when I run task manager, my cpu usage is 100%. I have approx. 25 programs operating and I'm not sure why. I attached a print screen of task manager and its included in the word file I attached that contains the MSE history print screens. Maybe there are programs that run but are not needed. I know I loaded up Hitmanpro earlier in the week to try to help and it is running behind the scenes I think. Probably other items are running that are not needed but I don't know which ones to get rid of. Also, System Idle Process takes lots of CPU usage sometimes and I have like 8 versions of Svchost.exe running which may be ok but I do not know. Can you assist/advise ...perhaps after we take care of the Sirefef.ac and .ah items, if feasible.

When MSE runs a full scan, it can take 6-8 hours. When MBAM runs a full scan, it can take 1-2 but sometimes over 3 hours? I don't know why and this seems a problm esp since hard drive is not big.

That said, the computer functions. I can work in excel or word and can access the web, even though at times the computer freezes or is slow. Sometimes, when I go to close a program via clicking on "X" or by pressing end program within task manager, the program doesn't close and then I click on the program and select go to process which I then highlight/click and select end process.

All tonight, while running these scans, MSE status flag showed clean and green status.

Ok , that's all for now.

I appreciate you helping me!

Good night and regards,

davidad

#5 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 28 April 2012 - 09:07 AM

Hello Davidad !

Also, apologies for sending attachments and not embedding their contents in the reply window. I followed the instructions provided me earlier..to attach the two items but going forward, I will put log contents into the reply window.

No worries, it's not your fault. Some helpes prefer to work with files as attachments, and others prefer to have them posted in the thread.

I find it easier to work with the logs when the contents are postd in the thread.

1) I thought the Sirefef.ac and Sirefef.ah trojans/viruses? were what had infected my machines, not ZeroAccess (Max) and thought they did redirects to other web sites. Are these two items just other names for this ZeroAccess? Does this ZeroAccess do redirects and potentially log keystrokes, steal pws, etc?

Yes, Sirefef is another name for ZeroAccess. Some people refer to it using one name, while others use the other name.

ZeroAccess is a backdoor trojan, so it does have the ability to log your keystrokes, and steal passwords.

2) If my computer is on but no internet explorer program is open (meaning I am not online), can someone "get into" my computer or make it online? Should I keep it off or is it ok to keep it on? Also, can I use the computer i.e. to get on line or make a spreadsheet?

With this infection, I'd definitely say that it's capable of doing damage while you're connected to the internet (even if you don't have a browser open).

If you want to keep it on, I'd suggest disconnecting it from the internet when you're not using it.

3) I have MSE already installed and if its status shows green and protecting the computer, is the computer safe (since at least as of that specific time, the sirefef.ac & .ah are indicated in the MSE history to have been removed? Or, is the computer totally exposed even when MSE shows green and the sirefefs removed?

At this point your computer is still exposed, the infection is still active on your system.

4) Should I install any other protection now or is MSE adequate? (FYI, I also have MBAM installed though this doesn't run automatically..only runs when I double click on the icon to run (& update definitions).

For right now, this is fine, installing anything else at the moment will just get in our way.

5) You noted in your #5 I should not run spyware scans unless you ask. So, just to confirm, I will not run MBAM at all going forward unless you advise me to, correct? Is it ok that MSE continues to run / protect my computer automatically? I'm sure that today, it will again detect and remove the Sirefef items, at least the .ah one.

Yes, this is correct. It's okay to have your MSE continu to run, the only time you should disable it is if it's required for performing a certain step. Don't worry, I'll be sure to let you know when this is required.

6) Though I don't use it a lot for accessing bank data, I have previously so I did change passwords for those already.

Okay.

1. As for questions, please see my previous message from earlier today with questions I need your help with.

Hopefully I answered the above questions, if you need clarification on anything from the above let me know.

Also, System Idle Process takes lots of CPU usage sometimes and I have like 8 versions of Svchost.exe running which may be ok but I do not know. Can you assist/advise ...perhaps after we take care of the Sirefef.ac and .ah items, if feasible.

This is actually not unusual that is in regards to multiple svchost.exe running. It's perfectly normal for there to be multiple svchost.exe running at one time

OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:Processes
KILLALLPROCESSES
:OTL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - No CLSID value found.
O8 - Extra context menu item: &Search - Reg Error: Value error. File not found
O37 - HKU\S-1-5-21-839522115-813497703-1060284298-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found
NetSvcs: eabfiltr - %systemroot%\system32\cicsclient.dll File not found
NetSvcs: lvpr2mon - %systemroot%\system32\RVIEG01.dll File not found
NetSvcs: navap - File not found
NetSvcs: lxcz_device - %systemroot%\system32\KR10N.dll File not found
NetSvcs: NVXBAR - File not found
NetSvcs: AppnBase - File not found
NetSvcs: rassstp - File not found
NetSvcs: uiusys - File not found
NetSvcs: schscnt - File not found
NetSvcs: ibmpmsvc - File not found
NetSvcs: dirms_defragmentation - File not found
NetSvcs: c-dillacdac11ba - File not found
NetSvcs: mcvsrte - File not found
NetSvcs: incdpass - File not found
NetSvcs: SED133x - File not found
NetSvcs: hprfdev - File not found
NetSvcs: clsched - File not found
NetSvcs: arrayssl_vpn_service3 - File not found
NetSvcs: 0 - File not found
NetSvcs: 1 - File not found
NetSvcs: 9 - File not found
NetSvcs: ipassconnectengine - File not found
NetSvcs: cs429x - File not found
NetSvcs: issm - File not found
NetSvcs: UPATC - File not found
NetSvcs: fasttraksvc - File not found
NetSvcs: ctdvda2k - File not found
NetSvcs: caboagp - File not found
NetSvcs: websensecamserver - File not found
NetSvcs: w200obex - File not found
NetSvcs: cxpt_service - File not found
NetSvcs: ZuneBusEnum - File not found
NetSvcs: GT680x - File not found
NetSvcs: nipxirmu - File not found
NetSvcs: paamsrv - File not found
NetSvcs: datasvr2 - File not found
NetSvcs: csctl50 - File not found
NetSvcs: MA_CMIDI - File not found
NetSvcs: NVENET - File not found
NetSvcs: trufos - File not found
NetSvcs: wap3gx - File not found
NetSvcs: mcafeeframework - File not found
NetSvcs: hcmon - File not found
NetSvcs: toddsrv - File not found
NetSvcs: ifp800 - File not found
NetSvcs: opcenum - File not found
NetSvcs: USBVCD - File not found
NetSvcs: Wuser32 - File not found
NetSvcs: icraplus - File not found
NetSvcs: zebrmdfl - File not found
NetSvcs: s3savagemx - File not found
NetSvcs: Stltrk2k - File not found
NetSvcs: forcewarewebinterface - File not found
NetSvcs: vsdatant - File not found
NetSvcs: ownershipprotocol - File not found
NetSvcs: clnt_clientman - File not found
NetSvcs: FETNDIS - File not found
NetSvcs: R300 - File not found
NetSvcs: GoProto - File not found
NetSvcs: AlKernel - File not found
NetSvcs: vvoice - File not found
NetSvcs: vds - File not found
NetSvcs: WBHWDOCT - File not found
NetSvcs: ec2007service - File not found
NetSvcs: webdriveservice - File not found
NetSvcs: nbservice - File not found
NetSvcs: USB_NDIS_51 - File not found
NetSvcs: usnjsvc - File not found
NetSvcs: ar5211 - File not found
NetSvcs: nipsvc - File not found
NetSvcs: mozybackup - File not found
NetSvcs: k56 - File not found
NetSvcs: NetwareWorkstation - File not found
NetSvcs: dtsrvc - File not found
NetSvcs: raysatxsi5_0server - %systemroot%\system32\crauto.dll File not found
NetSvcs: HpqRemHid - %systemroot%\system32\ssrvc.dll File not found
[2011/02/02 13:27:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Iqizuvupoqoxevu.bin
[2011/02/02 13:27:15 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rxasarorohuge.dat

:Reg

:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

NEXT:

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL fix log.
3. ComboFix.txt
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

#6 davidad

Member

Members
61 posts

Gender:Male

Posted 28 April 2012 - 03:12 PM

Hello Agent ST,

I need some quick help. I ran OTL and it went fine.

I disabled real time protection in MSE, downloaded comboFix and started it. I got a blue screen...saying Please wait. ComboFix is preparing to run. Attempting to create a new system restore point.

Then another bos opened entitled MicroSoft Windows Recovery Console and inside it says, This machine does not have the microsoft windows recovery console installed. Alternativey, an existing installation of the recovery console may be present but requires updating. Without it ComboFix shall not attempt the fixing of some serious infections. Click "Yes" to have ComboFix download/install it. NOTE this requires an active internet connection."

Ok, what do I do? There were no instructions in your prior guidance on this and I have read that anything with ComboFix should be done only after getting explicit or specific instructions. Should I click yes to download/install this microsoft windows recovery console?

Please advise as soon as feasible since my MSE is disabled and is thus showing a red status, and I still have the open ComboFix query box open. (I'm writing from another computer.)

Also, I don't know if this matters or what it means fyi, I have hitmanpro 3.6.0 previously installed and after rebooting once OTL was done, (before running ComboFix) I got a message / detection saying:

Hosts
C:\windows\system32\drivers\etc\
Hosts file is compromised. Hosts file contains Byte order mark (BOM) obfuscation.

I haven't gone anything with this. I've left it alone fyi.

Again, should I click Yes to download/install the microsoft windows recovery console?

Thank you very much and regards,

Davidad

#7 davidad

Member

Members
61 posts

Gender:Male

Posted 28 April 2012 - 05:45 PM

Hello ST,

I await your response to my earlier question? I am leaning toward just clicking yes to have ComboFix download and install the ms windows recovery console and then proceed to have ComboFix run.

In the meantime, here is the OTL.txt log. It was named 04282012-143740 when it got set up.

========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3215F20-3212-11D6-9F8B-00D0B743919D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3215F20-3212-11D6-9F8B-00D0B743919D}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-839522115-813497703-1060284298-1003_Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-839522115-813497703-1060284298-1003_Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
eabfiltr removed from NetSvcs value successfully!
Service eabfiltr stopped successfully!
Service eabfiltr deleted successfully!
lvpr2mon removed from NetSvcs value successfully!
Service lvpr2mon stopped successfully!
Service lvpr2mon deleted successfully!
navap removed from NetSvcs value successfully!
lxcz_device removed from NetSvcs value successfully!
Service lxcz_device stopped successfully!
Service lxcz_device deleted successfully!
NVXBAR removed from NetSvcs value successfully!
AppnBase removed from NetSvcs value successfully!
rassstp removed from NetSvcs value successfully!
uiusys removed from NetSvcs value successfully!
schscnt removed from NetSvcs value successfully!
ibmpmsvc removed from NetSvcs value successfully!
dirms_defragmentation removed from NetSvcs value successfully!
c-dillacdac11ba removed from NetSvcs value successfully!
mcvsrte removed from NetSvcs value successfully!
incdpass removed from NetSvcs value successfully!
SED133x removed from NetSvcs value successfully!
hprfdev removed from NetSvcs value successfully!
clsched removed from NetSvcs value successfully!
arrayssl_vpn_service3 removed from NetSvcs value successfully!
0 removed from NetSvcs value successfully!
1 removed from NetSvcs value successfully!
9 removed from NetSvcs value successfully!
ipassconnectengine removed from NetSvcs value successfully!
cs429x removed from NetSvcs value successfully!
issm removed from NetSvcs value successfully!
UPATC removed from NetSvcs value successfully!
fasttraksvc removed from NetSvcs value successfully!
ctdvda2k removed from NetSvcs value successfully!
caboagp removed from NetSvcs value successfully!
websensecamserver removed from NetSvcs value successfully!
w200obex removed from NetSvcs value successfully!
cxpt_service removed from NetSvcs value successfully!
ZuneBusEnum removed from NetSvcs value successfully!
GT680x removed from NetSvcs value successfully!
nipxirmu removed from NetSvcs value successfully!
paamsrv removed from NetSvcs value successfully!
datasvr2 removed from NetSvcs value successfully!
csctl50 removed from NetSvcs value successfully!
MA_CMIDI removed from NetSvcs value successfully!
NVENET removed from NetSvcs value successfully!
trufos removed from NetSvcs value successfully!
wap3gx removed from NetSvcs value successfully!
mcafeeframework removed from NetSvcs value successfully!
hcmon removed from NetSvcs value successfully!
toddsrv removed from NetSvcs value successfully!
ifp800 removed from NetSvcs value successfully!
opcenum removed from NetSvcs value successfully!
USBVCD removed from NetSvcs value successfully!
Wuser32 removed from NetSvcs value successfully!
icraplus removed from NetSvcs value successfully!
zebrmdfl removed from NetSvcs value successfully!
s3savagemx removed from NetSvcs value successfully!
Stltrk2k removed from NetSvcs value successfully!
forcewarewebinterface removed from NetSvcs value successfully!
vsdatant removed from NetSvcs value successfully!
ownershipprotocol removed from NetSvcs value successfully!
clnt_clientman removed from NetSvcs value successfully!
FETNDIS removed from NetSvcs value successfully!
R300 removed from NetSvcs value successfully!
GoProto removed from NetSvcs value successfully!
AlKernel removed from NetSvcs value successfully!
vvoice removed from NetSvcs value successfully!
vds removed from NetSvcs value successfully!
WBHWDOCT removed from NetSvcs value successfully!
ec2007service removed from NetSvcs value successfully!
webdriveservice removed from NetSvcs value successfully!
nbservice removed from NetSvcs value successfully!
USB_NDIS_51 removed from NetSvcs value successfully!
usnjsvc removed from NetSvcs value successfully!
ar5211 removed from NetSvcs value successfully!
nipsvc removed from NetSvcs value successfully!
mozybackup removed from NetSvcs value successfully!
k56 removed from NetSvcs value successfully!
NetwareWorkstation removed from NetSvcs value successfully!
dtsrvc removed from NetSvcs value successfully!
raysatxsi5_0server removed from NetSvcs value successfully!
Service raysatxsi5_0server stopped successfully!
Service raysatxsi5_0server deleted successfully!
HpqRemHid removed from NetSvcs value successfully!
Service HpqRemHid stopped successfully!
Service HpqRemHid deleted successfully!
C:\WINDOWS\Iqizuvupoqoxevu.bin moved successfully.
C:\WINDOWS\Rxasarorohuge.dat moved successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully
Unable to start System Restore Service. Error code 1056

OTL by OldTimer - Version 3.2.42.1 log created on 04282012_143740

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Thanks and regards,

davidad

#8 davidad

Member

Members
61 posts

Gender:Male

Posted 28 April 2012 - 11:17 PM

Hello again Agent ST!

It is davidad again.

I responded earlier tonight re the OTL fix log ( your #2 point) and sent it earlier.

My comments/observations/questions ( your #1 point) - As for ComboFix as it was getting late and not wanting to close down the computer in the middle of working through this script, I decided to go forward and click "Yes" download/install. I accepted some license agreement, checked yes to continue and the scanning seemed to start. I hope this was the right decision. Was it? Please advise.

The open box showed the word "AutoScan" on top and noted it should take 10 minutes. There were lines showing "completed stages", 50 in all in numerical order (There was a 6a, 19b,and 32a included within also. Then it started noting it was deleting files...then deleting folders. The system rebooted, there was a ComboFix box which noted please wait. The ComboFix scan seemed to proceed and complete successfully. In #3 below, I have listed the log.

#3 ComboFix log

ComboFix 12-04-28.01 - Family Login 04/28/2012 22:44:14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.384.145 [GMT -4:00]
Running from: c:\documents and settings\Family Login\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\system32\acelpdec.ax
c:\windows\system32\ativdaxx.ax
c:\windows\system32\ativmvxx.ax
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\g711codc.ax
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\l3codecx.ax
c:\windows\system32\mpeg2data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\mpg4ds32.ax
c:\windows\system32\msadds32.ax
c:\windows\system32\msscds32.ax
c:\windows\system32\urttemp
c:\windows\system32\vbicodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\wiasf.ax
c:\windows\system32\wmv8ds32.ax
c:\windows\system32\wmvds32.ax
c:\windows\system32\wstpager.ax
c:\windows\system32\wstrenderer.ax
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETWORKLOG
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 03:14 . 2012-04-29 03:14 26400 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-04-28 18:37 . 2012-04-28 18:37 -------- d-----w- C:\_OTL
2012-04-28 06:16 . 2012-04-29 03:15 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F62AB288-6EE4-497E-A6FF-9CF92C31A572}\offreg.dll
2012-04-28 06:07 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F62AB288-6EE4-497E-A6FF-9CF92C31A572}\mpengine.dll
2012-04-27 04:55 . 2012-04-27 04:55 -------- d-----w- c:\windows\system32\LogFiles
2012-04-23 04:39 . 2012-04-23 04:39 -------- d-----w- C:\TDSSKiller items
2012-04-22 15:55 . 2012-04-22 15:55 -------- d-----w- c:\program files\ESET
2012-04-21 16:43 . 2012-04-21 16:43 -------- d-----w- c:\program files\HitmanPro
2012-04-21 16:42 . 2012-04-21 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-21 01:34 . 2012-04-22 04:30 -------- d-----w- C:\sh4ldr
2012-04-21 01:27 . 2012-04-22 04:28 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-04-21 01:26 . 2012-04-21 01:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-04-21 01:11 . 2012-01-12 13:26 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-21 01:11 . 2012-01-19 14:22 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-04-21 01:10 . 2012-04-21 01:10 -------- d-----w- c:\program files\Common Files\iS3
2012-04-21 01:09 . 2012-04-22 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2012-04-20 06:58 . 2012-04-20 06:58 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-04-11 18:56 . 2012-04-11 18:56 73104 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2012-04-04 17:13 . 2012-04-04 17:13 23376 ----a-r- c:\windows\system32\SZIO5.dll
2012-04-04 17:13 . 2012-04-04 17:13 546640 ----a-r- c:\windows\system32\SZComp5.dll
2012-04-04 17:13 . 2012-04-04 17:13 481104 ----a-r- c:\windows\system32\SZBase5.dll
2012-03-31 15:35 . 2008-08-28 07:46 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 03:18 . 2012-04-29 03:18 4752 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-13 07:36 . 2010-08-25 04:05 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 19:56 . 2011-02-09 04:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 14:10 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2001-08-23 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50 . 2004-01-08 19:23 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50 . 2010-08-24 16:12 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50 . 2006-10-19 04:51 369664 ----a-w- c:\windows\system32\html.iec
2012-02-26 05:44 . 2012-02-26 05:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-26 05:44 . 2012-02-26 05:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-24 19:28 . 2012-02-24 19:28 99728 ----a-r- c:\windows\system32\drivers\SZKG.sys
2012-02-24 19:28 . 2012-02-24 19:28 99728 ----a-r- c:\windows\system32\drivers\is3srv.sys
2012-02-23 18:09 . 2012-02-23 18:09 29008 ----a-r- c:\windows\system32\IS3XDat5.dll
2012-02-23 18:09 . 2012-02-23 18:09 390992 ----a-r- c:\windows\system32\IS3UI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 231248 ----a-r- c:\windows\system32\IS3Win325.dll
2012-02-23 18:09 . 2012-02-23 18:09 100176 ----a-r- c:\windows\system32\IS3Svc5.dll
2012-02-23 18:09 . 2012-02-23 18:09 132944 ----a-r- c:\windows\system32\IS3HTUI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 104272 ----a-r- c:\windows\system32\IS3Inet5.dll
2012-02-23 18:09 . 2012-02-23 18:09 67408 ----a-r- c:\windows\system32\IS3Hks5.dll
2012-02-23 18:09 . 2012-02-23 18:09 456528 ----a-r- c:\windows\system32\IS3DBA5.dll
2012-02-23 18:09 . 2012-02-23 18:09 808784 ----a-r- c:\windows\system32\IS3Base5.dll
2012-02-23 14:18 . 2010-08-23 16:35 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22 . 2001-08-23 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2006-10-29 1056864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 -c--a-w- c:\program files\Common Files\AOL\1162161876\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162161876\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162161876\\ee\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/20/2012 9:11 PM 101112]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2/16/2011 2:28 AM 3744]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [4/21/2012 12:43 PM 105288]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2/16/2011 2:28 AM 3904]
R3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [10/18/2006 6:46 PM 63360]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [4/28/2012 11:14 PM 26400]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [10/18/2006 6:46 PM 128000]
S1 MpKsld5180f1c;MpKsld5180f1c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F62AB288-6EE4-497E-A6FF-9CF92C31A572}\MpKsld5180f1c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F62AB288-6EE4-497E-A6FF-9CF92C31A572}\MpKsld5180f1c.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO35
*NewlyCreated* - PCANDIS5
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
,
bthmodem
slwdmsup
mtlmnt5
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2012-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-84333561.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 23:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\PerfStringBackup.TMP 4752 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\HitmanPro\HitmanPro.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-28 23:26:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 03:26
.
Pre-Run: 9,353,322,496 bytes free
Post-Run: 10,217,578,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 9130A44A517F9E7F9FBC8EBB98C81FB4

#4 Update - Here are some observations.

Note, when the computer came back on after the ComboFix reboot, I saw a message like "SZServer.exe - application error The instruction at 0x63104c1F did not find the referenced memory."...or something like that. This was NOT the first time I saw it..I just wanted you to know about it.I think it arose after I had gotten the virus and downloaded the StopZilla program and then when I tried uninstalling it and deleting it, I got some messages that the uninstall may not be working fully. When this box came, I just pressed ok and it went out and then the boot up started.

Also, when the ComboFix scan began..with the words ComboFix Find3M on the top of the open box. The box noted : do not run any programs till finished. Now, when my computer boots up, HitManpro starts an automatic scan. Note that I had previously downloaded HMP (when the virus first hit..several days ago and I didn't realize that I think I should have tried to disable it before running ComboFix. I don't know if it caused a problem...it didn't seem to. I just wanted you to know.

Also, for the first time, I see this little red shield with an X in my systray on the lower right. There was a message saying your computer may be at risk. No fire wall turned on. Your antivirus software might be out of date. Click balloon to Fix." I did NOT click any button to fix and the word box soon went away. This may have come from when I clicked yes to download windows recovery console center but I don't know. Also, I don't know if I should click the balloon again to turn a fire wall on and to update some AV software. When I right click on the icon, I get two choices, open security center or go to microsoft security web site. Any suggested course of action?

Two other points..upon rebooting and after ComboFix was done, I turned back on MSE real time protection. MSE is showing an amber color = potentially unprotected and that I haven't run a scan on the computer in a while. This doesn't make sense since it was run overnight automatically by MSE @ 2 AM. I have seen this message before so I am not overly concerned...but still? I did a quick scan in MSE and nothing came up.

Also, I see some new programs in windows task manager: alg.exe and wscntfy.exe. Also csrss.exe may be new. I attached a print screen so you can see what programs are running. After we've completed the virus removal efforts hopefully, can you review this and advise whether any should be or can be removed? Thanks. Ok, here we go to the ComboFix log.

Ok. That's it for now! I hope I'm providing you useful relevant info. If I'm providing too much or irrelevant data, please advise and I will try to cut back.

I do not know if I am still infected and what other issues I may have so please help!

Thanks again and regards,

davidad

#9 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 29 April 2012 - 01:19 AM

Hi Davidad!

Ok, what do I do? There were no instructions in your prior guidance on this and I have read that anything with ComboFix should be done only after getting explicit or specific instructions. Should I click yes to download/install this microsoft windows recovery console?

I apologize about that!! I use to have instructions in there about allowing ComboFix to install the Windows Recovery Console.

I see now, that they are no longer ther, and will need to update those instructions accordingly. I apologize for the confusion.

My comments/observations/questions ( your #1 point) - As for ComboFix as it was getting late and not wanting to close down the computer in the middle of working through this script, I decided to go forward and click "Yes" download/install. I accepted some license agreement, checked yes to continue and the scanning seemed to start. I hope this was the right decision. Was it? Please advise.

Yes, this was the correct option to select.

Any suggested course of action?

We'll be addressing this issue in a little bit.

Also, I see some new programs in windows task manager: alg.exe and wscntfy.exe. Also csrss.exe may be new. I attached a print screen so you can see what programs are running. After we've completed the virus removal efforts hopefully, can you review this and advise whether any should be or can be removed? Thanks. Ok, here we go to the ComboFix log.

Those processes are legitimate.

Ok. That's it for now! I hope I'm providing you useful relevant info. If I'm providing too much or irrelevant data, please advise and I will try to cut back.

I do not know if I am still infected and what other issues I may have so please help!

You're doing just fine, don't worry. I appreciate all the information that you are providing me with.

Please download the following registry file located here to your Desktop.

Right click on the file and select Merge. You'll get a prompt from UAC asking if you want to gain it Admin Rights, click Yes.

When you're prompted to Merge it with your Registry, please allow it to do so.

Reboot your computer after running the above Registry Fix.

Please let me know if the message about the Security Center is still appearing on reboot.

---------

I would also like to see a list of files quarantined by ComboFix, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.

#10 davidad

Member

Members
61 posts

Gender:Male

Posted 29 April 2012 - 12:21 PM

Hello ST.

Thanks for your follow up. I went through the steps you listed.

Of note:

1) Registry Download - I was not prompted and asked if I want to gain Admin Rights. (Also, what is UAC?) I presumed that the term merge is what was meant by the question box that opened: "Do you want to add information in C;\Documents and Settings/Family Logon/Desktop/wscsvc.reg to registry?" That's what I saw and pressed yes. It was very quick. I don't know thought if it worked?

2) Note that I waited a couple of hours before rebooting since MSE was in the background still running a full scan from 2:30 AM. It took over 8 hours and went through approx 850,000 items. So, once MSE finished and I came back, I rebooted. Of note as well, MSE again picked up and removed Sirefef.ah twice this morning. See attached for MSE history listing. There were two instances caught and one referenced some error code. I have listed the what was detected and then the description.

2a. Trogan:Win32/Sirefef.AH Alert level - Severe Date - 4/29/2012 11:30 AM Action Taken - Removed

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll->EWS->1.cod

Get more information about this item online.

2b: Trogan:Win32/Sirefef.AH Alert level - Severe Date - 4/29/2012 11:19 AM Action Taken - Removed

Security Essentials encountered the following error: Error code 0x80070021. The process cannot access the file because another process has locked a portion of the file.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll
containerfile:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069782.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069783.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069784.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069785.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069786.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069787.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069788.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069789.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069790.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069791.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069792.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069793.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069794.dll->EWS->1.cod
file:C:\System Volume Information\_restore{8437FA63-47ED-454B-A824-FB4C4DA54076}\RP1108\A0069795.dll->EWS->1.cod

Get more information about this item online.

I guess I am still infected unfortunately. Did you expect this to be the case?

3) Security Center Icon - Upon rebooting, the small shield (in red) appears. Its an icon for Windows Security Cente. When you pass your cursor over it, it shows "Windows Security Alerts" as a phrase. When I right click on it , Im brought to a box that says Windows Security Center and theres a Firewall Section in orange/red indicating Off and recommends I turn it on. Also, there are two other lines..one says automatic updates and the other says virus protection and both have the word ON on each row. What should I do with this? I never had it such an icon. Should I turn on a firewall? (Maybe later?)

4) Another security matter..I have a router and I don't think it is restricted to my house or set up to be locked and prevent others on my block or elsewhere from getting to the web from my router. What should I do? (Maybe later?)

5) ComboFix quarantined files - Please see txt below.

2012-04-29 03:23:31 . 2012-04-29 03:23:31 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-84333561.sys.reg.dat
2012-04-29 03:23:27 . 2012-04-29 03:23:27 484 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-TPSvc.reg.dat
2012-04-29 03:23:26 . 2012-04-29 03:23:26 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat
2012-04-29 03:10:14 . 2012-04-29 03:10:14 113,501 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_wstrenderer_.ax.zip
2012-04-29 03:10:10 . 2012-04-29 03:10:10 67,883 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_wstpager_.ax.zip
2012-04-29 03:10:06 . 2012-04-29 03:10:07 89,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_wmvds32_.ax.zip
2012-04-29 03:10:04 . 2012-04-29 03:10:04 108,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_wmv8ds32_.ax.zip
2012-04-29 03:10:03 . 2012-04-29 03:10:03 20,253 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_wiasf_.ax.zip
2012-04-29 03:10:02 . 2012-04-29 03:10:02 11,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_vidcap_.ax.zip
2012-04-29 03:10:01 . 2012-04-29 03:10:01 15,844 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_vbisurf_.ax.zip
2012-04-29 03:10:00 . 2012-04-29 03:10:00 25,648 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_vbicodec_.ax.zip
2012-04-29 03:09:58 . 2012-04-29 03:09:59 33,275 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_msscds32_.ax.zip
2012-04-29 03:09:57 . 2012-04-29 03:09:57 141,383 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_msadds32_.ax.zip
2012-04-29 03:09:56 . 2012-04-29 03:09:56 88,962 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpg4ds32_.ax.zip
2012-04-29 03:09:54 . 2012-04-29 03:09:54 81,389 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpg2splt_.ax.zip
2012-04-29 03:09:52 . 2012-04-29 03:09:53 50,371 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_mpeg2data_.ax.zip
2012-04-29 03:09:50 . 2012-04-29 03:09:50 64,839 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_ksproxy_.ax.zip
2012-04-29 03:09:48 . 2012-04-29 03:09:48 19,337 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_g711codc_.ax.zip
2012-04-29 03:09:45 . 2012-04-29 03:09:45 12,009 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_ativmvxx_.ax.zip
2012-04-29 03:09:39 . 2012-04-29 03:09:39 4,116 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_ativdaxx_.ax.zip
2012-04-29 02:54:10 . 2012-04-29 02:54:10 822 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NETWORKLOG.reg.dat
2012-04-29 02:53:48 . 2012-04-29 02:53:48 8,370 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-28 19:19:46 . 2012-04-29 03:10:15 2,814 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-04-20 06:46:07 . 2012-04-21 10:34:43 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dds_trash_log.cmd.vir
2006-10-19 04:51:36 . 2008-04-14 00:12:42 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vbicodec.ax.vir
2006-10-19 04:51:36 . 2008-04-14 00:12:43 164,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wstpager.ax.vir
2006-10-19 04:51:36 . 2008-04-14 00:12:43 239,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wstrenderer.ax.vir
2006-10-19 04:51:15 . 2008-04-14 00:12:42 9,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ativdaxx.ax.vir
2006-10-19 04:51:15 . 2008-04-14 00:12:42 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ativmvxx.ax.vir
2006-10-19 04:51:08 . 2008-04-14 00:12:42 118,272 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mpeg2data.ax.vir
2006-10-19 04:51:03 . 2008-04-13 23:12:42 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vidcap.ax.vir
2006-10-19 02:56:29 . 2001-08-23 12:00:00 520,192 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\wmpvis.dll.vir
2006-10-18 22:46:46 . 2008-04-13 23:12:42 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ksproxy.ax.vir
2005-07-14 22:28:02 . 2005-07-14 22:28:02 365 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf.vir
2001-08-23 12:00:00 . 2001-08-23 12:00:00 61,952 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\acelpdec.ax.vir
2001-08-23 12:00:00 . 2001-08-23 12:00:00 41,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\g711codc.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 199,680 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\iac25_32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 848,384 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ir41_32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 154,624 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ivfsrc.ax.vir
2001-08-23 12:00:00 . 2010-06-15 16:17:24 143,422 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\l3codecx.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 148,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg2splt.ax.vir
2001-08-23 12:00:00 . 2010-03-30 05:52:26 262,416 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg4ds32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 221,184 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\msscds32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 30,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\vbisurf.ax.vir
2001-08-23 12:00:00 . 2001-08-23 12:00:00 40,448 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wiasf.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 278,559 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wmv8ds32.ax.vir
2001-08-23 12:00:00 . 2008-04-14 00:12:42 258,048 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wmvds32.ax.vir

6) Finally, when I reboot and after the Desktop picture comes on, I get a message:

The instructions at 0x63104c1F referenced memory at 0x6611a630. Memory could not be found. Click ok to terminate the program. I press ok and the box goes away. How do I get rid of this issue and how do I get rid of unecessary programs. (Maybe later?)

OK, Agent ST, that's it for now.

Thank you very much and regards!

davidad

#11 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 30 April 2012 - 02:50 AM

Hi davidad!

Registry Download - I was not prompted and asked if I want to gain Admin Rights. (Also, what is UAC?) I presumed that the term merge is what was meant by the question box that opened: "Do you want to add information in C;\Documents and Settings/Family Logon/Desktop/wscsvc.reg to registry?" That's what I saw and pressed yes. It was very quick. I don't know thought if it worked?

UAC stands for User Account Control

Note that I waited a couple of hours before rebooting since MSE was in the background still running a full scan from 2:30 AM. It took over 8 hours and went through approx 850,000 items. So, once MSE finished and I came back, I rebooted. Of note as well, MSE again picked up and removed Sirefef.ah twice this morning. See attached for MSE history listing. There were two instances caught and one referenced some error code. I have listed the what was detected and then the description.

Okay, thanks for that information.

I guess I am still infected unfortunately. Did you expect this to be the case?

Security Center Icon - Upon rebooting, the small shield (in red) appears. Its an icon for Windows Security Cente. When you pass your cursor over it, it shows "Windows Security Alerts" as a phrase. When I right click on it , Im brought to a box that says Windows Security Center and theres a Firewall Section in orange/red indicating Off and recommends I turn it on. Also, there are two other lines..one says automatic updates and the other says virus protection and both have the word ON on each row. What should I do with this? I never had it such an icon. Should I turn on a firewall? (Maybe later?)

Yes, please go ahead and turn the firewall on.

Another security matter..I have a router and I don't think it is restricted to my house or set up to be locked and prevent others on my block or elsewhere from getting to the web from my router. What should I do? (Maybe later?)

You can configure your router to require a password before anybody can connect to your network.

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:OTL
:Files
md "c:\windows\system32\urttemp"
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ativdaxx.ax.vir" "c:\windows\system32\ativdaxx.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ativmvxx.ax.vir" "c:\windows\system32\ativmvxx.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\wmpvis.dll.vir" "c:\windows\system32\dllcache\wmpvis.dll" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\acelpdec.ax.vir" "c:\windows\system32\acelpdec.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\g711codc.ax.vir" "c:\windows\system32\g711codc.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\iac25_32.ax.vir" "c:\windows\system32\iac25_32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ir41_32.ax.vir" "c:\windows\system32\ir41_32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ivfsrc.ax.vir" "c:\windows\system32\ivfsrc.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ksproxy.ax.vir" "c:\windows\system32\ksproxy.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\l3codecx.ax.vir" "c:\windows\system32\l3codecx.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpeg2data.ax.vir" "c:\windows\system32\mpeg2data.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg2splt.ax.vir" "c:\windows\system32\mpg2splt.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg4ds32.ax.vir" "c:\windows\system32\mpg4ds32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir""c:\windows\system32\msadds32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\msscds32.ax.vir" "c:\windows\system32\msscds32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vbicodec.ax.vir" "c:\windows\system32\vbicodec.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vbisurf.ax.vir" "c:\windows\system32\vbisurf.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vidcap.ax.vir" "c:\windows\system32\vidcap.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wiasf.ax.vir" "c:\windows\system32\wiasf.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wmv8ds32.ax.vir" "c:\windows\system32\wmv8ds32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wmvds32.ax.vir" "c:\windows\system32\wmvds32.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wstpager.ax.vir" "c:\windows\system32\wstpager.ax" /c
copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wstrenderer.ax.vir" "c:\windows\system32\wstrenderer.ax" /c
ipconfig /flushdns /c
:Commands
[CreateRestorePoint]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to create a new OTL Report

Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Click on the NONE button at the top.

In the

box Cope & Paste the following:

msconfig
netsvcs
"%WinDir%\$NtUninstallKB*$." /30
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
/md5stop

Push the button.
One report will open, copy and paste it in a reply here:
OTL.txt <-- Will be opened

#12 davidad

Member

Members
61 posts

Gender:Male

Posted 30 April 2012 - 11:32 PM

Hello ST!

Thanks for your feedback again! Ok, I followed your next steps. FYI, I turned off the computer after completing the previous instructions and replying here. Also my version of MBAM only runs when I double click the icon and click on scan. It does not check automatically so I don't believe I needed to disable it nor to I believe there is anything to disable (i.e. like real time scanning). Do you agree? The version # of MBAM I have is 1.6.1 which seems to fit your range in your instructions but it is the free version and I've had it for a while.

1. Status / New Observations - in order of appearance

a. HitManPro 3.6 Quick Scan starts automatically during early part of start up phase. On one hand, that's no problem. On the other, I have heard/learned that it is not effective to have >1 anti-virus/ant-malware program running at the same time. Since I have MSE already, should I remove HitMan Pro? (if not now, then later?). If so, what program should I use to do removals? I have CCleaner already installed and there's the windows based add/remove programs from the control panel though I've had some issues & heard some concerns over it. I thought there was some other program I read on bleepingcomputer called Revo? Please advise on which one to use, what I should remove (I can send you a listing - from where?), and when (I figure we should wait on this till we're done with Sirefef).

b. Still getting the error message when booting up: A box named "SZServer.exe - Application Error" opens up. Inside there's a message: The instruction @0x63104c1f referenced memory at 0x6611a630. The memory could not be "read". Click ok to terminate the program." I click ok and the box disappears. This box probably arises due to some incomplete or improper software removal of "stopzilla" by me. How do I get rid of it? Maybe, the answer to #1 is the answer to #2? Please advise and I understand that it may be best to wait to remove. I defer to you for your guidance.

c. The Red Shield for Windows Security Alerts appears. I did not activate the firewall yet. I will after I complete your instructions.

d. There is now a Yellow Shield for Windows automatic updates. I don't recall seeing this in a while thought it may have popped up previously. I did not get update though I will after I complete your instructions and get your confirmation it is ok to do so.

e. POTENTIALLY VERY IMPORTANT OBSERVATION!- Every day, I check the history tab of MSE to see what was detected and removed. For the first time since getting the Sirefef viruses/trojans going back over a week, no Sirefef items were detected on 4/30 (during the early morning scan of 4/30! What does this mean to you and did you expect this result? If so, can you explain how this was accomplished please? What program did what action to what files/registry entries? What other actions need to be done? (ST, if you could, I may need some laymen like explanation!! though whatever way you prefer to respond is fine!

2. OTL Fix Log - Please see below.

========== SERVICES/DRIVERS ==========
========== OTL ==========
========== FILES ==========
File\Folder md "c:\windows\system32\urttemp" not found.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ativdaxx.ax.vir" "c:\windows\system32\ativdaxx.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ativmvxx.ax.vir" "c:\windows\system32\ativmvxx.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\wmpvis.dll.vir" "c:\windows\system32\dllcache\wmpvis.dll" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\acelpdec.ax.vir" "c:\windows\system32\acelpdec.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\g711codc.ax.vir" "c:\windows\system32\g711codc.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\iac25_32.ax.vir" "c:\windows\system32\iac25_32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ir41_32.ax.vir" "c:\windows\system32\ir41_32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ivfsrc.ax.vir" "c:\windows\system32\ivfsrc.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\ksproxy.ax.vir" "c:\windows\system32\ksproxy.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\l3codecx.ax.vir" "c:\windows\system32\l3codecx.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpeg2data.ax.vir" "c:\windows\system32\mpeg2data.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg2splt.ax.vir" "c:\windows\system32\mpg2splt.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\mpg4ds32.ax.vir" "c:\windows\system32\mpg4ds32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir""c:\windows\system32\msadds32.ax" /c >
C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.virc:\windows\system32\msadds32.ax
0 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\msscds32.ax.vir" "c:\windows\system32\msscds32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vbicodec.ax.vir" "c:\windows\system32\vbicodec.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vbisurf.ax.vir" "c:\windows\system32\vbisurf.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\vidcap.ax.vir" "c:\windows\system32\vidcap.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wiasf.ax.vir" "c:\windows\system32\wiasf.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wmv8ds32.ax.vir" "c:\windows\system32\wmv8ds32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wmvds32.ax.vir" "c:\windows\system32\wmvds32.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wstpager.ax.vir" "c:\windows\system32\wstpager.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< copy "C:\Qoobox\Quarantine\C\WINDOWS\system32\wstrenderer.ax.vir" "c:\windows\system32\wstrenderer.ax" /c >
1 file(s) copied.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Family Login\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Family Login\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Unable to start System Restore Service. Error code 1056

OTL by OldTimer - Version 3.2.42.1 log created on 04302012_233656

2a. Question on OTL Fix log - What does the first line under the COMMANDS row mean...unable to start system restor service. Error code 1056? Is it serious? What do I do?

3. OTL Custom Scan - Please see log below.

OTL logfile created on: 5/1/2012 12:10:35 AM - Run 2
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Documents and Settings\Family Login\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.55 Mb Total Physical Memory | 242.48 Mb Available Physical Memory | 63.22% Memory free
986.29 Mb Paging File | 747.54 Mb Available in Paging File | 75.79% Paging File free
Paging file location(s): C:\pagefile.sys 640 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 9.41 Gb Free Space | 50.51% Space Free | Partition Type: NTFS

Computer Name: DAMONFAMILY01 | User Name: Family Login | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: HostManager - hkey= - key= - C:\Program Files\Common Files\AOL\1162161876\ee\aolsoftware.exe (America Online, Inc.)
MsConfig - StartUpReg: IPHSend - hkey= - key= - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: hidserv - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: ias - File not found
NetSvcs: iprip - File not found
NetSvcs: irmon - File not found
NetSvcs: nwcworkstation - File not found
NetSvcs: nwsapagent - File not found
NetSvcs: - File not found
NetSvcs: - File not found
NetSvcs: slwdmsup - C:\WINDOWS\System32\drivers\slwdmsup.sys (Smart Link)
NetSvcs: mtlmnt5 - C:\WINDOWS\System32\drivers\mtlmnt5.sys (Smart Link)
NetSvcs: wmdmpmsp - File not found

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >
[2012/02/24 15:28:26 | 000,099,728 | R--- | M] (iS3 Inc.) -- C:\WINDOWS\system32\drivers\is3srv.sys
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2012/02/24 15:28:26 | 000,099,728 | R--- | M] (iS3 Inc.) -- C:\WINDOWS\system32\drivers\SZKG.sys
[2012/04/11 14:56:36 | 000,073,104 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\system32\drivers\SZKGFS.sys

< %SYSTEMDRIVE%\*.exe >

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/11/27 11:26:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2010/11/27 11:26:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/03 23:00:18 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

< End of report >

Ok, that's if for now.

Thanks a lot again and "speak" with you soon!

Regards,

Davidad

p.s. On a personal note, are you really situated in Antarctica? Are you based there (military or research) or do you live there? I'd be interested in hearing!

#13 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 01 May 2012 - 01:11 AM

Hi!

Not a problem!

Do you agree? The version # of MBAM I have is 1.6.1 which seems to fit your range in your instructions but it is the free version and I've had it for a while.

If you have the Free version of MalwareBytes' Anti-Malware, then you don't need to disable anything.

HitManPro 3.6 Quick Scan starts automatically during early part of start up phase. On one hand, that's no problem. On the other, I have heard/learned that it is not effective to have >1 anti-virus/ant-malware program running at the same time. Since I have MSE already, should I remove HitMan Pro? (if not now, then later?). If so, what program should I use to do removals? I have CCleaner already installed and there's the windows based add/remove programs from the control panel though I've had some issues & heard some concerns over it. I thought there was some other program I read on bleepingcomputer called Revo? Please advise on which one to use, what I should remove (I can send you a listing - from where?), and when (I figure we should wait on this till we're done with Sirefef).

If this were my computer, I'd definitely remove HitManPro. The reason for this is because I've heard of users who have had it scan and then remove a threat, and then they ended up with an unbootable computer.

The utility you are thinking of is called RevoUninstaller. It's a very useful utility, and has been quite useful in cases where a stubborn program doesn't want to be removed.

Still getting the error message when booting up: A box named "SZServer.exe - Application Error" opens up. Inside there's a message: The instruction @0x63104c1f referenced memory at 0x6611a630. The memory could not be "read". Click ok to terminate the program." I click ok and the box disappears. This box probably arises due to some incomplete or improper software removal of "stopzilla" by me. How do I get rid of it? Maybe, the answer to #1 is the answer to #2? Please advise and I understand that it may be best to wait to remove. I defer to you for your guidance.

It does look like StopZilla wasn't remove completely.

Do you recall how you removed it?

c. The Red Shield for Windows Security Alerts appears. I did not activate the firewall yet. I will after I complete your instructions.

Okay.

d. There is now a Yellow Shield for Windows automatic updates. I don't recall seeing this in a while thought it may have popped up previously. I did not get update though I will after I complete your instructions and get your confirmation it is ok to do so.

Yes, this is okay to do.

POTENTIALLY VERY IMPORTANT OBSERVATION!- Every day, I check the history tab of MSE to see what was detected and removed. For the first time since getting the Sirefef viruses/trojans going back over a week, no Sirefef items were detected on 4/30 (during the early morning scan of 4/30! What does this mean to you and did you expect this result? If so, can you explain how this was accomplished please? What program did what action to what files/registry entries? What other actions need to be done? (ST, if you could, I may need some laymen like explanation!! though whatever way you prefer to respond is fine!

This is great news!

To me this means that we are making some excellent progress with getting this infection removed. Yes, I was expecting this result, we have removed quite a few chunks of this infection.

We've used a few different tools to remove this infection.

A lot of the work we've done we completed using OTL.

p.s. On a personal note, are you really situated in Antarctica? Are you based there (military or research) or do you live there? I'd be interested in hearing!

I actually do not live in Antarctica. I don't even remember why I put that there. I think it might have been because it seems to get people talking about it.

Although I can't really recall.

2a. Question on OTL Fix log - What does the first line under the COMMANDS row mean...unable to start system restor service. Error code 1056? Is it serious? What do I do?

I was trying to have OTL create a new restore point when you ran the OTL fix. However it appears OTL wasn't able to do so because the service associated with System Restore couldn't be started.

We'll look into this in a moment.

Run this ComboFix script for me:

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir
NetSvcs::
,

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT:

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

I believe I addressed your questions in your previous post. If I missed one, please let me know, and I'd be happy to answer it in my next reply.

Warmest Regards,
ST.

#14 davidad

Member

Members
61 posts

Gender:Male

Posted 01 May 2012 - 04:16 AM

Good morning. Thanks for the feedback.

Here is the latest summary/observations. Also, FYI, before running your instructions I had run ccleaner to clean up any websites or other items on the computer. No issues noted there.

1. STOPZILLA

I think I tried using windows control panel based add/remove programs and got some error message. Then I tried right clicking on the StopZilla application row aftering right clicking on start/programs and selecting the uninstall option. I don't think it fully worked and then I tried deleting Stopzilla items when I saw them. I used the REVO Uninstaller program since I saw the StopZilla icon when REVO was double clicked. Unlike with HMP, a small windows uninstaller box popped up and it asked do you want windows to configure Stopzilla..I think for uninstalling. A message box popped up after a little while and it said error message 1721 windows installer package did not have ...something to complete installation. Contact the ....Let's see what happens after REVO is done. FYI. REVO found 1012 registry entries and it took a while to click on each bolded item (prob not 1012 but alot!) But, what do you suggest? FYI, after running ComboFix, the same SZ application error message arose.

2. HIDDEN FILES & FOLDERS

I was looking at "My Computer" and noticed some folders disappeared. I went to Control Panel, Folder Options, View Tab and in the "Hidden Files & Folders row, I clicked the button for "Show Hidden Files & Folders". Then I pressed ok and saw the folders (like C:Documents & Settings/All Users/APPLICATION DATA (the capped folder was missing) or C: Documents & Settings/DEFAULT USER (this one was missing too.)I don't know what caused this folder view to change though I recall it also happened a few days ago. How can I keep this option from going back to hidden?

3. HITMANPRO 3.6 & REVO UNINSTALLER FREE - I went to a thread that had this as a download link (topic 451285) and downloaded the REVO program. I double clicked on the Hitmapro icon and REVO started. During its process, a similar message came up like I got with StopZilla. It read hmpsched.exe - application errot. The instructions at 0X00000000 referenced memory at 0x00000000. The memory could not be "Read". Check ok to close the program or cancel to debug. I choose ok. Not sure what to do. Maybe when REVO searches for leftovers, it will fix this? What do you think and suggest? FYI, there were three leftover registry entries and 2 folders in C:\Programs that were deleted.

4. COMBOFIX LOG - Please see below.

ComboFix 12-04-31.03 - Family Login 05/01/2012 4:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.384.178 [GMT -4:00]
Running from: c:\documents and settings\Family Login\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Family Login\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-05-01 08:28 . 2012-05-01 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2012-05-01 07:32 . 2012-05-01 07:32 -------- d-----w- c:\program files\VS Revo Group
2012-05-01 07:05 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2E7DC9DF-9323-4358-90AE-7EAAA1A0D25D}\mpengine.dll
2012-05-01 03:38 . 2008-04-14 00:12 239616 ----a-w- c:\windows\system32\wstrenderer.ax
2012-05-01 03:38 . 2008-04-14 00:12 164352 ----a-w- c:\windows\system32\wstpager.ax
2012-05-01 03:38 . 2008-04-14 00:12 258048 ----a-w- c:\windows\system32\wmvds32.ax
2012-05-01 03:37 . 2008-04-14 00:12 278559 ----a-w- c:\windows\system32\wmv8ds32.ax
2012-05-01 03:37 . 2001-08-23 12:00 40448 ----a-w- c:\windows\system32\wiasf.ax
2012-05-01 03:37 . 2008-04-13 23:12 28672 ----a-w- c:\windows\system32\vidcap.ax
2012-05-01 03:37 . 2008-04-14 00:12 30208 ----a-w- c:\windows\system32\vbisurf.ax
2012-05-01 03:37 . 2008-04-14 00:12 53248 ----a-w- c:\windows\system32\vbicodec.ax
2012-05-01 03:37 . 2008-04-14 00:12 69632 ----a-w- c:\windows\system32\msscds32.ax
2012-05-01 03:37 . 2010-06-15 16:17 143422 ----a-w- c:\windows\system32\l3codecx.ax
2012-05-01 03:37 . 2008-04-14 00:12 154624 ----a-w- c:\windows\system32\ivfsrc.ax
2012-05-01 03:37 . 2008-04-14 00:12 848384 ----a-w- c:\windows\system32\ir41_32.ax
2012-05-01 03:37 . 2008-04-14 00:12 199680 ----a-w- c:\windows\system32\iac25_32.ax
2012-05-01 03:37 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\acelpdec.ax
2012-04-29 03:18 . 2012-04-29 03:18 4752 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-28 18:37 . 2012-04-28 18:37 -------- d-----w- C:\_OTL
2012-04-27 04:55 . 2012-04-27 04:55 -------- d-----w- c:\windows\system32\LogFiles
2012-04-23 04:39 . 2012-04-23 04:39 -------- d-----w- C:\TDSSKiller items
2012-04-22 15:55 . 2012-04-22 15:55 -------- d-----w- c:\program files\ESET
2012-04-21 16:42 . 2012-04-21 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-21 01:34 . 2012-04-22 04:30 -------- d-----w- C:\sh4ldr
2012-04-21 01:27 . 2012-04-22 04:28 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-04-21 01:26 . 2012-04-21 01:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-04-21 01:11 . 2012-01-12 13:26 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-21 01:11 . 2012-01-19 14:22 42864 ----a-r- c:\windows\system32\SBBD.EXE
2012-04-21 01:10 . 2012-04-21 01:10 -------- d-----w- c:\program files\Common Files\iS3
2012-04-20 06:58 . 2012-04-20 06:58 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-04-11 18:56 . 2012-04-11 18:56 73104 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2012-04-04 17:13 . 2012-04-04 17:13 23376 ----a-r- c:\windows\system32\SZIO5.dll
2012-04-04 17:13 . 2012-04-04 17:13 546640 ----a-r- c:\windows\system32\SZComp5.dll
2012-04-04 17:13 . 2012-04-04 17:13 481104 ----a-r- c:\windows\system32\SZBase5.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 07:36 . 2010-08-25 04:05 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 19:56 . 2011-02-09 04:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-02-29 14:10 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2001-08-23 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-28 18:50 . 2004-01-08 19:23 667136 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 18:50 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-02-28 18:50 . 2010-08-24 16:12 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-02-28 13:50 . 2006-10-19 04:51 369664 ----a-w- c:\windows\system32\html.iec
2012-02-26 05:44 . 2012-02-26 05:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-26 05:44 . 2012-02-26 05:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-24 19:28 . 2012-02-24 19:28 99728 ----a-r- c:\windows\system32\drivers\SZKG.sys
2012-02-24 19:28 . 2012-02-24 19:28 99728 ----a-r- c:\windows\system32\drivers\is3srv.sys
2012-02-23 18:09 . 2012-02-23 18:09 29008 ----a-r- c:\windows\system32\IS3XDat5.dll
2012-02-23 18:09 . 2012-02-23 18:09 390992 ----a-r- c:\windows\system32\IS3UI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 231248 ----a-r- c:\windows\system32\IS3Win325.dll
2012-02-23 18:09 . 2012-02-23 18:09 100176 ----a-r- c:\windows\system32\IS3Svc5.dll
2012-02-23 18:09 . 2012-02-23 18:09 132944 ----a-r- c:\windows\system32\IS3HTUI5.dll
2012-02-23 18:09 . 2012-02-23 18:09 104272 ----a-r- c:\windows\system32\IS3Inet5.dll
2012-02-23 18:09 . 2012-02-23 18:09 67408 ----a-r- c:\windows\system32\IS3Hks5.dll
2012-02-23 18:09 . 2012-02-23 18:09 456528 ----a-r- c:\windows\system32\IS3DBA5.dll
2012-02-23 18:09 . 2012-02-23 18:09 808784 ----a-r- c:\windows\system32\IS3Base5.dll
2012-02-23 14:18 . 2010-08-23 16:35 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-02-03 09:22 . 2001-08-23 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2006-10-29 1056864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 -c--a-w- c:\program files\Common Files\AOL\1162161876\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 -c--a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162161876\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162161876\\ee\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2012-01-12 101112]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2001-08-17 63360]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\DRIVERS\n100325.sys [2001-08-17 128000]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
,
bthmodem
slwdmsup
mtlmnt5
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2012-05-01 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-05-01 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 04:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-01 04:43:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-01 08:43
ComboFix2.txt 2012-04-29 03:26
C:\DeQuarantine.txt
.
Pre-Run: 10,255,196,160 bytes free
Post-Run: 10,279,452,672 bytes free
.
- - End Of File - - F78EB26B1CCE5398E1C67346C110FB8E

5. ComboFix "DeQuarantine Notepad" item - This log also appeared. Not sure if it was supposed to. Any concern here?

C:\Qoobox\Quarantine\C\WINDOWS\system32\msadds32.ax.vir -> C:\WINDOWS\system32\msadds32.ax ( 221184 bytes )

6. Farber - Please see below.

Farbar Service Scanner Version: 30-04-2012 01
Ran by Family Login (administrator) on 01-05-2012 at 05:14:36
Running from "C:\Documents and Settings\Family Login\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) MDC8021X(9) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

7. FINAL MSE and COMPUER POINT

I will let MSE do its normal scan and I will leave the computer ON (as compared to the night of 4/29-30 where it was turned off.

Thanks very much and regards,

Davidad

#15 SweetTech

Agent ST

Malware Response Team
13,421 posts

Gender:Male
Location:Antarctica

Posted 01 May 2012 - 08:40 AM

Hi Davidad,

I'm going to answer the questions in your previous post a little later.

I wanted to provide you with these instructions:

Hi!

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform quick scan, then click on Scan
Leave the default options as it is and click on Start Scan
When done, you will be prompted. Click OK, then click on Show Results
Checked (ticked) all items and click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NEXT:

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.