Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE service stopped


  • Please log in to reply
3 replies to this topic

#1 hpnutty

hpnutty

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 08 December 2012 - 08:48 AM

Observed computer running MSE states "Security Essentials isn't monitoring your pc because the program's service has stopped". You should restart it now." after daughter downloaded "Deer Drive". MBAM full scan was run and found Trojan.0Access and Rootkit.0Access issues among others which were removed but problem still exists (log below). MSE will not uninstall, computer will not start in SAFE MODE, ActiveX Windows Update from MSN site will not run and neither will Windows Restore. Lastly, something has hijacked search from IE8, redirecting me from GOOGLE through diggerview.com to other "search" engines: http://63.209.69.107/search/web/, livesearch.com, http://beesq.net/find_1.php?k= etc. This could be associated with siredef.c?

Results of first MBAM log:
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.09.29.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: UPSTAIRSHP [administrator]

12/7/2012 10:55:26 PM
mbam-log-2012-12-07 (22-55-26).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 536989
Time elapsed: 3 hour(s), 19 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Documents and Settings\Rachel\Start Menu\Programs\System Progressive Protection (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.

Files Detected: 10
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\n (Trojan.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U\00000004.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U\000000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-515967899-436374069-682003330-1005\$9afba016c0f62a158d3d5a82f34e92b7\n (Trojan.0Access) -> Quarantined and deleted successfully.
C:\WINDOWS\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.
C:\Documents and Settings\Rachel\Desktop\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rachel\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully.(end)


Following advice from this thread with similar issue: http://www.bleepingcomputer.com/forums/topic477394.html scanning programs SecurityCheck, FarBar Service Scanner, MiniToolBox, MBAM, aswBAR and Malwarebytes Anti-Rootkit were installed/run per instructions and resulting logs are below:

SecurityCheck log:
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (3.5.13) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Farbar Scan log:
Farbar Service Scanner Version: 07-12-2012
Ran by Dad (administrator) on 08-12-2012 at 06:58:05
Running from "C:\downloads\farbar"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\System32\srsvc.dll".

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Bridge(9) BridgeMP(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(12)
0x0E00000005000000010000000200000003000000040000000B0000000A000000060000000700000008000000090000000C0000000D0000000E000000
IpSec Tag value is correct.

**** End of log ****


MiniToolBox log:
MiniToolBox by Farbar Version: 25-11-2012
Ran by Dad (administrator) on 08-12-2012 at 07:00:14
Running from "C:\downloads\minitoolbar"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
Hosts file not detected in the default directory
========================= IP Configuration: ================================

Intel® PRO/100+ Management Adapter = Local Area Connection (Disconnected)
1394 Net Adapter = 1394 Connection 2 (Connected)
NVIDIA nForce 10/100 Mbps Ethernet = nVidia onBoard (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "nVidia onBoard"

set address name="nVidia onBoard" source=dhcp
set dns name="nVidia onBoard" source=dhcp register=PRIMARY
set wins name="nVidia onBoard" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration
Host Name . . . . . . . . . . . . : UpstairsHP
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter nVidia onBoard:
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-19-21-C7-B7-09
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.81
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::219:21ff:fec7:b709%4
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Lease Obtained. . . . . . . . . . : Saturday, December 08, 2012 6:18:42 AM
Lease Expires . . . . . . . . . . : Sunday, December 09, 2012 6:18:42 AM

Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : C0-A8-01-51
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.81%2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

Server: homeportal
Address: 192.168.1.254
Name: google.com
Addresses: 74.125.227.72, 74.125.227.73, 74.125.227.78, 74.125.227.64
74.125.227.65, 74.125.227.66, 74.125.227.67, 74.125.227.68, 74.125.227.69
74.125.227.70, 74.125.227.71
Pinging google.com [74.125.227.4] with 32 bytes of data:
Reply from 74.125.227.4: bytes=32 time=29ms TTL=50
Reply from 74.125.227.4: bytes=32 time=27ms TTL=52
Ping statistics for 74.125.227.4:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 29ms, Average = 28ms

Server: homeportal
Address: 192.168.1.254
Name: yahoo.com
Addresses: 72.30.38.140, 98.138.253.109, 98.139.183.24
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=754ms TTL=46
Reply from 98.139.183.24: bytes=32 time=882ms TTL=46
Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 754ms, Maximum = 882ms, Average = 818ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 21 c7 b7 09 ...... NVIDIA nForce 10/100 Mbps Ethernet - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.81 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.81 192.168.1.81 20
192.168.1.0 255.255.255.0 192.168.1.81 192.168.1.81 20
192.168.1.81 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.81 192.168.1.81 20
224.0.0.0 240.0.0.0 192.168.1.81 192.168.1.81 20
255.255.255.255 255.255.255.255 192.168.1.81 192.168.1.81 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/04/2012 04:23:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 41250

Error: (12/04/2012 04:23:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 41250

Error: (12/04/2012 04:23:19 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/04/2012 04:23:04 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 25625

Error: (12/04/2012 04:23:04 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 25625

Error: (12/04/2012 04:23:04 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/03/2012 11:01:18 AM) (Source: .NET Runtime) (User: )
Description: Application: TWCApp.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ArgumentException
Stack:
at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.DispatcherOperation.InvokeImpl()
at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(System.Object)
at System.Threading.ExecutionContext.runTryCode(System.Object)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode, CleanupCode, System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Windows.Threading.DispatcherOperation.Invoke()
at System.Windows.Threading.Dispatcher.ProcessQueue()
at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
at System.Windows.Threading.Dispatcher.InvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
at System.Windows.Threading.Dispatcher.PushFrame(System.Windows.Threading.DispatcherFrame)
at System.Windows.Threading.Dispatcher.Run()
at System.Windows.Application.RunDispatcher(System.Object)
at System.Windows.Application.RunInternal(System.Windows.Window)
at System.Windows.Application.Run(System.Windows.Window)
at DW.UI.App.Main()

Error: (12/03/2012 11:01:16 AM) (Source: .NET Runtime 4.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 twcapp.exe, P2 7.5.2.0, P3 50a4f142, P4 fsharp.core, P5 4.0.0.0, P6 4d5f3f84, P7 1256, P8 69, P9 clr20r30, P10 clr20r31.


System errors:
=============
Error: (12/08/2012 06:20:11 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (12/08/2012 06:20:11 AM) (Source: Service Control Manager) (User: )
Description: The System Restore Service service terminated with the following error:
%%5

Error: (12/08/2012 06:20:11 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (12/08/2012 06:19:03 AM) (Source: SRService) (User: )
Description: The System Restore initialization process failed.

Error: (12/08/2012 06:18:54 AM) (Source: 0) (User: )
Description:

Error: (12/08/2012 06:15:16 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
IPSec
MpFilter
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip
Tcpip6

Error: (12/08/2012 06:15:16 AM) (Source: Service Control Manager) (User: )
Description: The System Restore Service service terminated with the following error:
%%5

Error: (12/08/2012 06:15:16 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (12/08/2012 06:15:16 AM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (12/08/2012 06:15:16 AM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (02/09/2012 07:11:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6600.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1508 seconds with 1320 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.110)
Adobe Media Player (Version: 0.0.0)
Adobe Media Player (Version: 1.0)
Adobe Reader 8.1.3 (Version: 8.1.3)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 11.3.0.581)
ATI - Software Uninstall Utility (Version: 6.14.10.1021)
ATI Catalyst Control Center (Version: 2.008.0328.2321)
ATI Display Driver (Version: 8.476-080328a-060999C-ATI)
AudibleManager (Version: 2147344384.2147340288.1344088.1244472)
Belarc Advisor 7.2
Bonjour (Version: 3.0.0.10)
Catalyst Control Center Core Implementation (Version: 2008.0328.2322.39969)
Catalyst Control Center Graphics Full Existing (Version: 2008.0328.2322.39969)
Catalyst Control Center Graphics Full New (Version: 2008.0328.2322.39969)
Catalyst Control Center Graphics Light (Version: 2008.0328.2322.39969)
Catalyst Control Center Graphics Previews Common (Version: 2008.0328.2322.39969)
ccc-core-preinstall (Version: 2008.0328.2322.39969)
ccc-core-static (Version: 2008.0328.2322.39969)
ccc-utility (Version: 2008.0328.2322.39969)
CCC Help English (Version: 2008.0328.2321.39969)
CCleaner (Version: 3.25)
Creative System Information
Creative ZEN (Version: 1.0)
EaseUS Partition Master 9.1.1 Home Edition
Epson Event Manager (Version: 2.30.01)
Epson FAX Utility (Version: 1.00.01)
Epson PC-FAX Driver
EPSON Scan
EPSON WorkForce 610 Series Printer Uninstall
EpsonNet Print (Version: 2.4i)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3230.2052)
Google Update Helper (Version: 1.3.21.123)
Google Updater (Version: 2.4.1368.5602)
Intel® Network Connections 13.0.42.0 (Version: 13.0.42.0)
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.7.2)
Java™ 6 Update 37 (Version: 6.0.370)
LADSPA_plugins-win-0.4.15
Lame ACM MP3 Codec
LightScribe System Software (Version: 1.18.17.1)
Mall Tycoon 3 (Version: 1.0.0)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Security Client (Version: 4.1.0522.0)
Microsoft Security Essentials (Version: 4.1.522.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
MobileMe Control Panel (Version: 3.1.8.0)
Mozilla Firefox (3.5.13) (Version: 3.5.13 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NVIDIA Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Origin (Version: 8.3.7.3619)
PixiePack Codec Pack (Version: 1.0.100.0)
QuickTime (Version: 7.72.80.56)
Realtek High Definition Audio Driver (Version: 5.10.0.5605)
Roll
Shared C Run-time for x86 (Version: 10.0.0)
Skins (Version: 2008.0328.2322.39969)
System Requirements Lab
The Sims 2 Glamour Life Stuff
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Deluxe
The Sims™ 3 (Version: 1.42.130)
The Sims™ 3 Ambitions (Version: 4.0.87)
The Sims™ 3 Create a World Tool - Beta (Version: 1.6.72)
The Sims™ 3 Generations (Version: 8.0.152)
The Sims™ 3 Late Night (Version: 6.5.1)
The Sims™ 3 Pets (Version: 10.0.96)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760413) 32-Bit Edition
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
WebFldrs XP (Version: 9.50.5318)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Format 9.5 SDK (Version: 10.0.0.3802)
Windows Media Player 11
WinRAR archiver
Zoo Tycoon Expanded

========================= Devices: ================================

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Intel® PRO/100+ Management Adapter
Description: Intel® PRO/100+ Management Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: E100B
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 23%
Total physical RAM: 3070.39 MB
Available physical RAM: 2340.88 MB
Total Pagefile: 4956.09 MB
Available Pagefile: 4296.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1964.91 MB

========================= Partitions: =====================================

1 Drive c: (c-drive) (Fixed) (Total:465.76 GB) (Free:322.92 GB) NTFS
2 Drive d: (d-drive) (Fixed) (Total:298.09 GB) (Free:287.34 GB) NTFS

========================= Users: ========================================

User accounts for \\UPSTAIRSHP

Administrator ASPNET Courtney
Dad Guest HelpAssistant
Natalie Peggy Rachel
SUPPORT_388945a0


**** End of log ****


MBAM removed threats results
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: UPSTAIRSHP [administrator]

12/8/2012 7:08:17 AM
mbam-log-2012-12-08 (07-08-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 367471
Time elapsed: 37 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\3CA46B87AAF2344B00003CA42EE93A09\3CA46B87AAF2344B00003CA42EE93A09.exe (Trojan.LameShield) -> Quarantined and deleted successfully.

(end)


aswBAR log
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-08 07:52:56
-----------------------------
07:52:56.671 OS Version: Windows 5.1.2600 Service Pack 3
07:52:56.671 Number of processors: 2 586 0x4B02
07:52:56.671 ComputerName: UPSTAIRSHP UserName: Dad
07:52:57.578 Initialize success
07:54:30.906 AVAST engine defs: 12120701
07:55:39.609 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
07:55:39.609 Disk 0 Vendor: SAMSUNG_HD320KJ CP100-10 Size: 305245MB BusType: 3
07:55:39.625 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP4T0L0-12
07:55:39.625 Disk 1 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3
07:55:39.625 Disk 1 MBR read successfully
07:55:39.625 Disk 1 MBR scan
07:55:39.656 Disk 1 Windows XP default MBR code
07:55:39.656 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
07:55:39.656 Disk 1 scanning sectors +976767120
07:55:39.718 Disk 1 scanning C:\WINDOWS\system32\drivers
07:55:47.937 Service scanning
07:55:58.046 Modules scanning
07:56:01.812 Disk 1 trace - called modules:
07:56:01.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:56:01.828 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b326ab8]
07:56:01.828 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000071[0x8b3d44e8]
07:56:01.828 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-12[0x8b3bb660]
07:56:02.656 AVAST engine scan C:\WINDOWS
07:56:06.640 AVAST engine scan C:\WINDOWS\system32
07:56:10.203 File: C:\WINDOWS\system32\asr_nsta.dll **INFECTED** Win32:Dropper-gen [Drp]
07:59:06.187 AVAST engine scan C:\WINDOWS\system32\drivers
07:59:26.062 AVAST engine scan C:\Documents and Settings\Dad
08:02:20.359 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dad\Desktop\MBR.dat"
08:02:20.359 The log file has been saved successfully to "C:\Documents and Settings\Dad\Desktop\aswMBR.txt"
08:03:37.921 AVAST engine scan C:\Documents and Settings\All Users
08:08:39.781 Scan finished successfully
08:08:53.578 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Dad\Desktop\MBR.dat"
08:08:53.578 The log file has been saved successfully to "C:\Documents and Settings\Dad\Desktop\aswMBR.txt"


Malwarebytes Anti-Rootkit System-log.txt:
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.210000 GHz
Memory total: 3219533824, free: 2482790400


------------ Kernel report ------------
12/08/2012 08:25:17
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
dbft.sys
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\System32\DRIVERS\1394BUS.SYS
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\System32\DRIVERS\processr.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\usbohci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nvnetbus.sys
\SystemRoot\system32\DRIVERS\NVNRM.SYS
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\NVENETFD.sys
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\tcpip6.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\arp1394.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\??\C:\DOCUME~1\Dad\LOCALS~1\Temp\aswMBR.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR7
Upper Device Object: 0xffffffff89e67ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007d\
Lower Device Object: 0xffffffff8b1b44f8
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR6
Upper Device Object: 0xffffffff89e67030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007c\
Lower Device Object: 0xffffffff8b13bc78
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR5
Upper Device Object: 0xffffffff89e9fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007b\
Lower Device Object: 0xffffffff8b184900
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff89e9f030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007a\
Lower Device Object: 0xffffffff8b12d660
Lower Device Driver Name: \Driver\usbstor\
Driver name found: usbstor
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8b326ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP4T0L0-12\
Lower Device Object: 0xffffffff8b3bb660
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b30fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-5\
Lower Device Object: 0xffffffff8b2c2d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Downloaded database version: v2012.12.08.04
Initializing...
Done!
<<<2>>>
Device number: 1, partition: 1
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b326ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b329508, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b326ab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b3d44e8, DeviceName: \Device\00000071\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b3bb660, DeviceName: \Device\Ide\IdeDeviceP4T0L0-12\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe45df800, 0xffffffff8b326ab8, 0xffffffff876bb040
Lower DeviceData: 0xffffffffe15ecb90, 0xffffffff8b3bb660, 0xffffffff8771e4d8
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b30fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b313810, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b30fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b3980d8, DeviceName: \Device\00000070\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b2c2d98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-5\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe4335b10, 0xffffffff8b30fab8, 0xffffffff87691ab8
Lower DeviceData: 0xffffffffe3ca0168, 0xffffffff8b2c2d98, 0xffffffff876dbb58
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 79194D22


Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 625137282


Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Disk Size: 320072933376 bytes
Sector size: 512 bytes


Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1


Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 976767057
Partition file system is NTFS
Partition is bootable


Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0


Disk Size: 500107862016 bytes
Sector size: 512 bytes


Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff89e9f030, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b14e020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e9f030, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b12d660, DeviceName: \Device\0000007a\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff89e9fab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b0f5020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e9fab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b184900, DeviceName: \Device\0000007b\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff89e67030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b136b58, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e67030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b13bc78, DeviceName: \Device\0000007c\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xffffffff89e67ab8, DeviceName: \Device\Harddisk5\DR7\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b10d530, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e67ab8, DeviceName: \Device\Harddisk5\DR7\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b1b44f8, DeviceName: \Device\0000007d\, DriverName: \Driver\usbstor\
------------ End ----------
Done!
Performing system, memory and registry scan...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: D:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\@ --> [Trojan.Siredef.C]

Malwarebytes Anti-Rootkit MBAR-LOG
Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: UPSTAIRSHP [administrator]


12/8/2012 5:47:37 PM
mbar-log-2012-12-08 (17-47-37).txt


Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 43136
Time elapsed: 9 hour(s), 21 minute(s), 49 second(s)


Memory Processes Detected: 0
(No malicious items detected)


Memory Modules Detected: 0
(No malicious items detected)


Registry Keys Detected: 0
(No malicious items detected)


Registry Values Detected: 0
(No malicious items detected)


Registry Data Items Detected: 0
(No malicious items detected)


Folders Detected: 10
c:\windows\$ntuninstallkb38584$\1972644928 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\l (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\u (Backdoor.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-515967899-436374069-682003330-1005\$9afba016c0f62a158d3d5a82f34e92b7\U (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-515967899-436374069-682003330-1005\$9afba016c0f62a158d3d5a82f34e92b7\L (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7 (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-515967899-436374069-682003330-1005\$9afba016c0f62a158d3d5a82f34e92b7 (Trojan.Siredef.C) -> Delete on reboot.


Files Detected: 17
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\@ (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-515967899-436374069-682003330-1005\$9afba016c0f62a158d3d5a82f34e92b7\@ (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L\00000004.@ (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L\201d3dde (Trojan.Siredef.C) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L\4cce1f70 (Trojan.Siredef.C) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\l\akygdmgo (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\u\00000001.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\u\00000002.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\u\80000000.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\u\80000032.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\bckfg.tmp (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\cfg.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\desktop.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\keywords (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\kwrd.dll (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb38584$\2233865118\lsflt7.ver (Backdoor.0Access) -> Delete on reboot.


(end)

Thank you for the invaluable service you perform!




Edited by hpnutty, 08 December 2012 - 08:02 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,710 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 08 December 2012 - 03:36 PM

Welcome aboard Posted Image

You're infected with ZeroAccess rootkit.
It'll require elevated help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 08 December 2012 - 07:24 PM

Thanks for your assistance. I placed the Malware anti-rootkit log in this thread, completed the prep work and created a link where you directed me: Thread: Infected with ZeroAccess rootkit

I will return with results, hopefully good results.

Edited by hpnutty, 08 December 2012 - 07:25 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:43 PM

Posted 15 December 2012 - 03:59 AM

This can be closed as it is resolved.



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users