Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results appear to be redirecting


  • This topic is locked This topic is locked
21 replies to this topic

#1 sugar land john

sugar land john

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 24 November 2012 - 10:27 PM

While working online today, noticed a general slowdown. Task Manager showed an instance of svchost was using cpu in varying amounts up to approx 50%. Then noticed MS Security Essentials icon in the system tray was red. Opened MSSE and got dialog "Security Essentials isn't monitoring your PC because the program's service stopped." Realtime protection was "off". Attempted to restart service and got message "Couldn't start the Security Essentials service. The specified service does not exist as an installed service. Error code 0x80070424." Ran firewall.cpl in the "run" window and got message, "Due to an unidentified problem, Windows cannot display Windows Firewall settings." Attempted to run Malwarebytes full scan. Scan ran for over 4 hours and then unexpectedly closed.

OS is Windows XP Pro, SP3. Default browser is Firefox, IE browser available and also shows redirection.

Hoping someone can help me with this one.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Jem at 20:45:46 on 2012-11-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.795 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: intuit.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254804427296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292099535593
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{A40102E9-A6A1-4C83-9119-ED9A138AF961} : DHCPNameServer = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = Error!
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jem\application data\mozilla\firefox\profiles\s3ekv026.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\jem\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - ExtSQL: !HIDDEN! 2009-09-05 15:02; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-11-27 19:31; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 193552]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-11-24 40776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DualCoreCenter;DualCoreCenter;\??\c:\program files\msi\dualcorecenter\ntglm7x.sys --> c:\program files\msi\dualcorecenter\NTGLM7X.sys [?]
S3 RushTopDevice2;RushTopDevice2;\??\c:\program files\msi\dualcorecenter\rushtop.sys --> c:\program files\msi\dualcorecenter\RushTop.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-11-24 20:54:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-23 19:51:16 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{79a6dfc1-43fe-4b26-b97b-357c242f61c9}\mpengine.dll
2012-11-22 19:51:07 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-10-28 22:12:16 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-10-28 22:12:16 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
.
==================== Find3M ====================
.
2012-11-13 02:16:21 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-13 02:16:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-23 00:54:05 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-09-07 22:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 03:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 20:48:01.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 25 November 2012 - 07:24 AM

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.



NEXT


Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 25 November 2012 - 11:48 AM

Hello CatByte, thank you for your response!

Before I download and run the tools you suggested, I should pass along some new information that could possibly affect the focus of your troubleshooting.

At first I was unable to get a Malwarebytes scan to complete to the point where I could see any infections. I tried again and aborted the scan as soon as I saw that it had picked something up. This allowed me to see the quarantine folder before the software could shut down. I saw 2 instances of Trojan.0access. After removing those, I was able to run Malwarebytes scans to completion with no shutdowns. Ran a full scan overnight and saw more Trojan.0access infections when I checked this morning. Deleted those and rebooted. No other infections were reported, but the Security Essentials service can still not be restarted.

Would you prefer that I re-run the DDS scan and post the updated results, as well as the Malwarebytes logs of the 2 scans, before proceeding with your suggested downloads? I will run no further scans or tools unless instructed by you.

I'm keeping the infected computer disconnected from the internet unless absolutely necessary. Do you see any issues with downloading the tools on a thumb drive in a clean computer and then copying them to the desktop of the infected computer? Thanks!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 25 November 2012 - 11:57 AM

thanks, we can move along to MBAR and combofix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 25 November 2012 - 07:07 PM

Acknowledging your instructions, CatByte. Performing some backup operations prior to running the tools you suggested. Should be able to run them in the next 24 hours if no problems with backups. Will advise and send logs when tools have run. Thanks again!

#6 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 November 2012 - 11:22 PM

Hi CatByte. Ran the MBAR and Combofix scans tonight. 3 logs pasted below. MBAR found 11 infections. This time identified as Trojan.Siredec.c instead of Trojan.0Access. Cleaned and rebooted, no infections found during second scan with MBAR. Now able to access internet, and also able to turn Win Firewall and Windows Updates back on, but still unable to restart MS Security Essentials service. Icon still red. Also found reason that Malwarebytes was able to identify infections but had not stopped then from coming in. I did not realize that the free version of MBAM that I was using did not have realtime protection capability. Found this while trying to turn off protection to run Combofix. Hard lesson learned.

Here are the logs:

MBAR-LOG

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.26.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jem :: JEM77478 [administrator]

11/26/2012 7:27:49 PM
mbar-log-2012-11-26 (19-27-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27799
Time elapsed: 12 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------
SYSTEM-LOG

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.007000 GHz
Memory total: 2146545664, free: 1641697280

------------ Kernel report ------------
11/26/2012 18:53:09
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
xhobdpi.sys
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
speedfan.sys
Mup.sys
giveio.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rtenicxp.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\point32.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff89d58ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T1L0-1b\
Lower Device Object: 0xffffffff89decb00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89e4bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-7\
Lower Device Object: 0xffffffff89dcbd98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2012.11.26.10
Downloaded database version: v2012.11.19.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89e4bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89d56e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e4bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89df89e8, DeviceName: \Device\0000006b\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89dcbd98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-7\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2f69c08, 0xffffffff89e4bab8, 0xffffffff8990d2a8
Lower DeviceData: 0xffffffffef8d5400, 0xffffffff89dcbd98, 0xffffffff8998b118
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 127F127E

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 976751937
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89d58ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89dd2680, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89d58ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89e4a9e8, DeviceName: \Device\0000006d\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89decb00, DeviceName: \Device\Ide\IdeDeviceP3T1L0-1b\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2355808, 0xffffffff89d58ab8, 0xffffffff88bf6040
Lower DeviceData: 0xffffffffe380a3c0, 0xffffffff89decb00, 0xffffffff88f034d8
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3E1D020

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 625137282

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256\@ --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-1547161642-682003330-839522115-1004\$bc24fdf1a6074c64ca59d1f046450256\@ --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256\L\00000004.@ --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256\L\201d3dde --> [Trojan.Siredef.C]
Read File: File "C:\WINDOWS\$NtUninstallKB885836$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901017$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901017$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920670$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927891$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927891$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950749$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB952954_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB873339$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950762_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950974_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951066_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951376-v2_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951698_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951978$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB952287_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901214$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB902400$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB904942$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB904942$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905414$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905414$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905749$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905749$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB908519$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB910437$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB910437$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB911562$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB911927$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB916595$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB916595$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918118$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918118$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918439$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918439$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920213$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920872$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB922582$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB923980$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB924270$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925720$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925876$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925902$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926255$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926255$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926436$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926436$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927779$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927802$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927802$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB928255$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB928255$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB929123$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930178$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930178$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930916$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930916$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB931261$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB931261$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB932168$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB932168$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935448$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935448$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935839$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935839$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935840$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935840$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB936357$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB936357$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB937894$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938127$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938127$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938464_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938828$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938828$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943055$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943055$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943485$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943485$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944338-v2$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944338-v2$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944653$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944653$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB945553$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB945553$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB946026$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB946026$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB954211_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB954600_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB955069_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB955839$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB956802$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB956803$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB957095$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB957097$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB958644$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB960714$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB886185$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB886185$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB888302$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB891781$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB893756$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896423$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896423$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896428$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899587$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899587$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899591$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899591$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900485$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900485$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900725$\eula.txt" is compressed (flags = 1)
Infected: HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256\U --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-1547161642-682003330-839522115-1004\$bc24fdf1a6074c64ca59d1f046450256\U --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256\L --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-1547161642-682003330-839522115-1004\$bc24fdf1a6074c64ca59d1f046450256\L --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$bc24fdf1a6074c64ca59d1f046450256 --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-1547161642-682003330-839522115-1004\$bc24fdf1a6074c64ca59d1f046450256 --> [Trojan.Siredef.C]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.007000 GHz
Memory total: 2146545664, free: 1791152128

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.007000 GHz
Memory total: 2146545664, free: 1669435392

------------ Kernel report ------------
11/26/2012 19:14:48
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
speedfan.sys
Mup.sys
giveio.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rtenicxp.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\point32.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff89daeab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T1L0-1b\
Lower Device Object: 0xffffffff89dbfb00
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff89dc5ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-7\
Lower Device Object: 0xffffffff89e05d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff89dc5ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89dbae08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89dc5ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89db2338, DeviceName: \Device\0000006b\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89e05d98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-7\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2bf9958, 0xffffffff89dc5ab8, 0xffffffff89cfd720
Lower DeviceData: 0xffffffffe3478420, 0xffffffff89e05d98, 0xffffffff89d07040
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 127F127E

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 976751937
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89daeab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89e02e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89daeab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff89e093f8, DeviceName: \Device\0000006d\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff89dbfb00, DeviceName: \Device\Ide\IdeDeviceP3T1L0-1b\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe351a4f8, 0xffffffff89daeab8, 0xffffffff89d08040
Lower DeviceData: 0xffffffffe317b958, 0xffffffff89dbfb00, 0xffffffff89cfd040
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3E1D020

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 625137282

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\WINDOWS\$NtUninstallKB885836$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901017$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901017$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920670$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927891$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927891$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950749$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB952954_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB873339$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950762_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB950974_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951066_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951376-v2_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951698_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB951978$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB952287_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB901214$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB902400$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB904942$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB904942$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905414$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905414$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905749$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB905749$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB908519$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB910437$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB910437$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB911562$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB911927$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB916595$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB916595$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918118$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918118$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918439$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB918439$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920213$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB920872$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB922582$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB923980$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB924270$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925720$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925876$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB925902$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926255$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926255$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926436$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB926436$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927779$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927802$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB927802$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB928255$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB928255$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB929123$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930178$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930178$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930916$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB930916$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB931261$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB931261$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB932168$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB932168$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935448$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935448$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935839$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935839$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935840$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB935840$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB936357$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB936357$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB937894$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938127$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938127$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938464_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938828$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB938828$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943055$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943055$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943485$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB943485$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944338-v2$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944338-v2$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944653$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB944653$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB945553$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB945553$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB946026$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB946026$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB954211_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB954600_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB955069_0$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB955839$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB956802$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB956803$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB957095$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB957097$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB958644$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB960714$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB886185$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB886185$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB888302$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB891781$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB893756$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896423$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896423$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB896428$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899587$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899587$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899591$\eula.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB899591$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900485$\update.ver" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900485$\updatebr.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB900725$\eula.txt" is compressed (flags = 1)
Done!
Scan finished
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.007000 GHz
Memory total: 2146545664, free: 1794654208


COMBOFIX LOG

ComboFix 12-11-26.02 - Jem 11/26/2012 20:24:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1549 [GMT -6:00]
Running from: c:\documents and settings\Jem\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Jem\WINDOWS
C:\LOG11.tmp
c:\windows\system32\SETBD.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETCB.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))
.
.
2012-11-25 23:34 . 2012-11-25 23:34 -------- d-----w- c:\program files\Runtime Software
2012-11-25 06:01 . 2012-11-25 06:01 -------- d-----w- c:\documents and settings\Jem\Local Settings\Application Data\PCHealth
2012-11-23 19:51 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{79A6DFC1-43FE-4B26-B97B-357C242F61C9}\mpengine.dll
2012-11-22 19:51 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-28 22:12 . 2008-04-13 17:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2012-10-28 22:12 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-13 02:16 . 2012-04-03 22:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-13 02:16 . 2011-05-19 00:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37 . 2006-02-28 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2006-02-28 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-07 22:04 . 2012-09-21 23:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-31 03:03 . 2010-03-26 03:30 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-10-27 02:52 . 2012-10-27 02:51 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-9-19 221247]
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2011-1-22 36864]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2011-1-22 36864]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-16 02:02 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S3 DualCoreCenter;DualCoreCenter;\??\c:\program files\MSI\DualCoreCenter\NTGLM7X.sys --> c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [?]
S3 RushTopDevice2;RushTopDevice2;\??\c:\program files\MSI\DualCoreCenter\RushTop.sys --> c:\program files\MSI\DualCoreCenter\RushTop.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:39]
.
2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 03:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: microsoft.com\*.update
Trusted Zone: pantyhoselane.com\www
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Jem\Application Data\Mozilla\Firefox\Profiles\s3ekv026.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - ExtSQL: !HIDDEN! 2009-09-05 15:02; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-11-27 19:31; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MsMpSvc
MSConfigStartUp-TkBellExe - c:\program files\real\realplayer\update\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-26 20:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-11-26 21:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-27 03:06
.
Pre-Run: 392,787,890,176 bytes free
Post-Run: 395,062,517,760 bytes free
.
- - End Of File - - 8E0839A6BAC17BCB0C05EF3AAE9C1C99

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 27 November 2012 - 08:05 AM

very good, :thumbup2:

yes MSE is excellent, but can't stop everything, having MBAM Pro is worth it (that's the combo I use myself)

we just have a couple more scans to run to make certain we get any leftovers, please run the following:


Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 27 November 2012 - 10:51 PM

Hi again, CatByte,

I ran AdwareCleaner and Junkware Removal Tool and have pasted the logs below. Both scans ran much quicker than I expected. I hope the reports look as you expected.

Before I run the online ESET Scanner, I wanted to ask a question or two. When the JRT scan had completed, I got an error message box from the Microsoft Security Client. "An error has occurred in the program during initialization. If this problem continues, please contact your system administrator. Error code: 0x80070005."

I suspect that it's related to the fact that I still cannot restart my MS Security Essentials service. MSSE icon in system tray is still red, and when I try to restart, I get "Couldn't start the Security Essentials Service. The specified service does not exist as an installed service. Error code: 0x80070424."

Should I go ahead and run the online ESET scan or do we need to address the error messages before scanning?

Here are the AdwareCleaner and JRT logs:

ADWARECLEANER:

# AdwCleaner v2.009 - Logfile created 11/27/2012 at 20:50:36
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Jem - JEM77478
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Jem\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\e9e2qhge.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Jem\Application Data\Mozilla\Firefox\Profiles\s3ekv026.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [878 octets] - [27/11/2012 20:50:36]

########## EOF - C:\AdwCleaner[S1].txt - [937 octets] ##########


JUNKWARE REMOVAL TOOL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.5.6 (11.27.2012:3)
OS: Microsoft Windows XP x86
Ran by Administrator on Tue 11/27/2012 at 20:59:48.93
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/27/2012 at 21:02:05.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 28 November 2012 - 07:33 AM

let's have a look to see if any registry keys are missing first then or if there is another reason MSE isn't working:


Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 November 2012 - 05:12 PM

Hi CatByte,

Here's the FSS log:

Farbar Service Scanner Version: 09-11-2012
Ran by Jem (administrator) on 28-11-2012 at 15:58:30
Running from "C:\Documents and Settings\Jem\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 28 November 2012 - 07:36 PM

there does not appear to be any reason as to why MSE is not functioning, I suggest uninstalling it completely, then re-download the program and re-install it

then move on to the next steps

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 November 2012 - 11:11 PM

Hi again, CatByte,

Wanted to give you a quick update and also have a few questions while ESET is running its scan. Looks like it will be scanning for quite a while.

Your suggestion to uninstall and reinstall MS Security Essentials worked fine. After reinstalling, it went out and updated its definitions with no problem. Rebooted just to be sure nothing would kill it again after a restart, and it seems to be working normally now with a green icon. Also didn't see any redirection when using Google search to find the download site for MSSE.

I have a couple of questions if you don't mind. All of the scan logs that I've looked at so far only involve the C: Drive, where the OS resides. I also have a data drive (D:) for extra storage. I was working in the D drive around the time I noticed the infection symptoms. Do I need to worry about running any of the scanning tools on the D drive or do I only need to be concerned with the system drive for this type of infection?

Second question. Before beginning this cleanup process, I backed up images of both drives onto an external USB harddrive. As per instructions I read early in the process, I disconnected the external USB backup drive while scanning. Because there is an image of the infected system disk on the backup external drive, would the best course of action be to delete both images on the backup drive after the cleanup of the main system drive is complete and I'm sure that my original data is OK?

Last question. Assuming I delete the images on the backup disk, can I be reasonably certain that there will be no residual infection on the backup drive?

Thanks again, and I'll get you the ESET log as soon as the scan completes.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 29 November 2012 - 07:42 AM

the scans we ran should have checked the D:\ drive, ESET will definitely take a look there as well.

Yes, once we have completed here, delete those backups and format that USB drive

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 sugar land john

sugar land john
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 29 November 2012 - 08:15 AM

Thanks CatByte,

I was concerned about the D drive because I didn't see it mentioned in any of the scan logs other than the Malwarebytes logs.

The ESET Scan finished and reported one threat found. This trhreat was NOT deleted per your instructions. Log follows:

C:\System Volume Information\_restore{CAE5A1F5-0860-4F7D-B451-6988750BB6EC}\RP1005\A0101473.exe Win32/DownloadAdmin.E application

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 29 November 2012 - 08:25 AM

ok,

that detection is in an old restore point that we will be cleaning up at the end

just to be certain, re-run ESET and only choose the D:\ drive to scan

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users