Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Luhe.Sirefef.A, virus on desktop


  • Please log in to reply
9 replies to this topic

#1 laczny

laczny

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 PM

Posted 27 March 2013 - 07:59 PM

My computer is infected with Luhe.Sirefef.A, C:\WINDOWS\system32\services.exe (764) according to AVG. I've run Avg and Super Anti Spyware. AVG finds the problem, says that it's fixed and then if I run the scan a minute later the same problem pops up. This virus isn't allowing me to conduct internet searches. If I try, random websites appear rather than what I searched for. Please help me!

 

Mod Edit: Moved topic from XP to a more appropriate forum. ~bloopie


Edited by bloopie, 27 March 2013 - 08:42 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:50 PM

Posted 27 March 2013 - 08:37 PM

Are you sure if the OS is windows XP? I have not seen services.exe infected on XP systems.

 

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient

===================================================

RKILL
  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

===================================================

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    esetsmartinstaller_enu.png

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button

===================================================

Junkware Removal Tool by thisisu
  • Please download Junkware Removal Tool
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • TDSSKiller log
  • RKILL log
  • ESET log
  • Junkware removal tool log

 



#3 laczny

laczny
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 PM

Posted 27 March 2013 - 10:35 PM

I double checked my Os and it is XP. I also thought it odd since all I found about it was for Windows 7.

 

 

TDSSKiller log:

 

21:12:43.0765 1512  ============================================================
21:12:43.0765 1512  Scan finished
21:12:43.0765 1512  ============================================================
21:12:43.0796 1508  Detected object count: 0
21:12:43.0796 1508  Actual detected object count: 0

 

 

RKILL log:

 

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/27/2013 09:17:07 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 2

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* wscsvc [Missing Service]
* wuauserv [Missing Service]

* BITS [Missing ImagePath]
* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/27/2013 09:18:17 PM
Execution time: 0 hours(s), 1 minute(s), and 10 seconds(s)

 


ESET log:

 

C:\Documents and Settings\Thinderbolt\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab    Win32/OpenCandy application    deleted - quarantined
C:\Documents and Settings\Thinderbolt\Local Settings\Temp\Bunndle\BunndleOfferManager.dll    a variant of Win32/Bunndle application    cleaned by deleting - quarantined
C:\Documents and Settings\Thinderbolt\Local Settings\Temp\is1275519350\yontoo-c4.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\Thinderbolt\Local Settings\Temporary Internet Files\Content.IE5\C9JI0NDJ\stubinst_pkg_en-us[1].cab    Win32/OpenCandy application    deleted - quarantined
C:\Documents and Settings\Thinderbolt\Local Settings\Temporary Internet Files\Content.IE5\O1CS9VIY\stubinst_pkg_en-us[1].cab    Win32/OpenCandy application    deleted - quarantined
C:\Documents and Settings\Thinderbolt\My Documents\Downloads\AdobeFlash_setup.exe    a variant of Win32/InstallCore.AZ application    cleaned by deleting - quarantined
C:\Documents and Settings\Thinderbolt\My Documents\Downloads\fwtunerSO.exe    multiple threats    cleaned by deleting - quarantined
C:\Documents and Settings\Thinderbolt\My Documents\Downloads\Setup(1).exe    a variant of Win32/Adware.iBryte.G application    cleaned by deleting - quarantined
C:\Documents and Settings\Thinderbolt\My Documents\Downloads\Setup.exe    a variant of Win32/Adware.iBryte.G application    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\svc0000\tsk0000.dta    Win32/Sirefef.DA trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\zafs0000\tsk0001.dta    Win32/Sirefef.EZ trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\zafs0000\tsk0005.dta    Win32/Conedex.D trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\zafs0000\tsk0007.dta    Win32/Conedex.E trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\zafs0000\tsk0008.dta    Win32/Sirefef.FA trojan    cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\27.03.2013_21.00.28\rtkt0000\zafs0000\tsk0009.dta    probably a variant of Win32/Sirefef.FD trojan    cleaned by deleting - quarantined
 

 

Junkware removal tool:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Microsoft Windows XP x86
Ran by Thinderbolt on Wed 03/27/2013 at 22:19:11.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/27/2013 at 22:33:38.17
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:50 PM

Posted 27 March 2013 - 10:38 PM

Looks good.Are you still receiving the pop up?

 

Malwarebytes

Please download Malwarebytes Anti-Malware and save it to your desktop. If you already have it installed launch the program and update the database.

  • Make sure you are connected to the Internet and double-click on the it to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

===================================================

Farbar's MiniToolBox
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the MiniToolBox.jpg icon to launch the program
  • Make sure the following options are checked:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply

===================================================

Farbar's Service Scanner

Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

AdwCleaner by Xplode - Search for Adware
  • Please download AdwCleaner by Xplode onto your desktop.
  • Security softwares may flag it as malicious.This is a false positive and can be ignored.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • Click YES if you receive a warning for reboot
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================

Autoruns
 
  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply



  • Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Autoruns log



#5 laczny

laczny
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 PM

Posted 27 March 2013 - 11:08 PM

So far I haven't had any pop ups! yay! is it ok to turn my AVG back on now?
 
Malwarebytes log:
 
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.28.02
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Thinderbolt :: JL-2EFCCF27D9B3 [administrator]
3/27/2013 10:41:58 PM
mbam-log-2013-03-27 (22-41-58).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185684
Time elapsed: 5 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

MiniToolBox log:

 

MiniToolBox by Farbar  Version:05-03-2013
Ran by Thinderbolt (administrator) on 27-03-2013 at 22:51:41
Running from "C:\Documents and Settings\Thinderbolt\My Documents\Downloads"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1       localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration

        Host Name . . . . . . . . . . . . : jl-2efccf27d9b3

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

        Physical Address. . . . . . . . . : 00-0D-88-44-46-A0

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.0.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.0.1

        DHCP Server . . . . . . . . . . . : 192.168.0.1

        DNS Servers . . . . . . . . . . . : 209.18.47.61

                                            209.18.47.62

        Lease Obtained. . . . . . . . . . : Wednesday, March 27, 2013 10:35:43 PM

        Lease Expires . . . . . . . . . . : Wednesday, March 27, 2013 11:35:43 PM

Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61

Name:    google.com
Addresses:  74.125.225.2, 74.125.225.3, 74.125.225.4, 74.125.225.5
   74.125.225.6, 74.125.225.7, 74.125.225.8, 74.125.225.9, 74.125.225.14
   74.125.225.0, 74.125.225.1

Pinging google.com [74.125.225.5] with 32 bytes of data:

Reply from 74.125.225.5: bytes=32 time=15ms TTL=52

Reply from 74.125.225.5: bytes=32 time=13ms TTL=52

 

Ping statistics for 74.125.225.5:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 13ms, Maximum = 15ms, Average = 14ms

Server:  dns-cac-lb-01.rr.com
Address:  209.18.47.61

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=120ms TTL=47

Reply from 206.190.36.45: bytes=32 time=188ms TTL=47

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 120ms, Maximum = 188ms, Average = 154ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 88 44 46 a0 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.10   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.0.0    255.255.255.0     192.168.0.10    192.168.0.10   20
     192.168.0.10  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.0.255  255.255.255.255     192.168.0.10    192.168.0.10   20
        224.0.0.0        240.0.0.0     192.168.0.10    192.168.0.10   20
  255.255.255.255  255.255.255.255     192.168.0.10    192.168.0.10   1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog9 01 mswsock.dll [File not found] ()
Catalog9 02 mswsock.dll [File not found] ()
Catalog9 03 mswsock.dll [File not found] ()
Catalog9 04 mswsock.dll [File not found] ()
Catalog9 05 mswsock.dll [File not found] ()
Catalog9 06 mswsock.dll [File not found] ()
Catalog9 07 mswsock.dll [File not found] ()
Catalog9 08 mswsock.dll [File not found] ()
Catalog9 09 mswsock.dll [File not found] ()
Catalog9 10 mswsock.dll [File not found] ()
Catalog9 11 mswsock.dll [File not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/27/2013 05:52:18 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:16 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:15 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:14 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:13 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:12 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:10 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:09 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:08 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (03/27/2013 05:52:07 PM) (Source: ESENT) (User: )
Description: svchost (1060) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (03/27/2013 09:11:02 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (03/27/2013 09:06:06 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (03/27/2013 09:06:06 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (03/27/2013 09:05:58 PM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (03/27/2013 09:03:16 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (03/27/2013 08:58:59 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/27/2013 08:58:59 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/27/2013 08:58:59 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (03/27/2013 08:58:59 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the RaMediaServer service to connect.

Error: (03/27/2013 08:58:59 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5


Microsoft Office Sessions:
=========================
Error: (03/27/2013 05:52:18 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:16 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:15 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:14 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:13 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:12 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:10 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:09 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:08 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (03/27/2013 05:52:07 PM) (Source: ESENT)(User: )
Description: svchost1060C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.6.602.180)
Adobe Flash Player 11 Plugin (Version: 11.6.602.180)
AVG 2013 (Version: 13.0.2641)
AVG 2013 (Version: 13.0.2904)
AVG 2013 (Version: 2013.0.2904)
ESET Online Scanner v3
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2)
Mozilla Maintenance Service (Version: 19.0.2)
Ralink RT2870 Wireless LAN Card (Version: 1.5.11.0)
RealDownloader (Version: 1.3.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealUpgrade 1.1 (Version: 1.1.0)
SUPERAntiSpyware (Version: 5.6.1014)
Update for Windows XP (KB914882) (Version: 1)
WebFldrs XP (Version: 9.50.7523)

========================= Devices: ================================

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 1023.3 MB
Available physical RAM: 632.72 MB
Total Pagefile: 2461.55 MB
Available Pagefile: 1987.1 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.1 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:74.52 GB) (Free:67.31 GB) NTFS

========================= Users: ========================================

User accounts for \\JL-2EFCCF27D9B3

Administrator            Guest                    HelpAssistant           
SUPPORT_388945a0         Thinderbolt             


**** End of log ****

 

Farbar's Service Scanner log:

 

Farbar Service Scanner Version: 03-03-2013
Ran by Thinderbolt (administrator) on 27-03-2013 at 23:02:49
Running from "C:\Documents and Settings\Thinderbolt\My Documents\Downloads"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of BITS. The value does not exist.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 06:00] - [2004-08-04 06:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-04 06:00] - [2004-08-04 06:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 06:00] - [2013-03-27 21:04] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-03-03 11:44] - [2004-08-04 06:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2013-03-03 11:46] - [2004-08-04 06:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-03-03 11:44] - [2004-08-04 06:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2004-08-04 06:00] - [2004-08-04 06:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe
[2004-08-04 06:00] - [2004-08-04 06:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Avgtdix(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

 

AdwCleaner log:

 

# AdwCleaner v2.115 - Logfile created 03/27/2013 at 22:59:15
# Updated 17/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : Thinderbolt - JL-2EFCCF27D9B3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Thinderbolt\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.2180

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Documents and Settings\Thinderbolt\Application Data\Mozilla\Firefox\Profiles\gkewgoih.default-1364430561218\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [755 octets] - [27/03/2013 22:59:15]

########## EOF - C:\AdwCleaner[S1].txt - [814 octets] ##########

 

 

Autoruns log:

 

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" "" "3/5/2013 8:36 PM"
+ "AVG_UI" "AVG User Interface" "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgui.exe" "12/10/2012 7:17 PM"
+ "TkBellExe" "RealNetworks Scheduler" "RealNetworks, Inc." "c:\program files\real\realplayer\update\realsched.exe" "11/30/2012 5:17 PM"
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup" "" "" "" "3/27/2013 5:56 PM"
+ "Ralink Wireless Utility.lnk" "Ralink Wireless LAN Card Utility" "Ralink Technology, Corp." "c:\program files\ralink\common\raui.exe" "12/31/2010 5:12 AM"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" "" "3/3/2013 11:47 AM"
+ "Address Book 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe" "8/3/2004 11:58 PM"
+ "Microsoft Outlook Express 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe" "8/3/2004 11:58 PM"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" "" "3/23/2013 11:44 AM"
+ "SUPERAntiSpyware" "SUPERAntiSpyware Application" "SUPERAntiSpyware.com" "c:\program files\superantispyware\superantispyware.exe" "11/1/2012 1:45 PM"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" "" "3/4/2013 9:28 PM"
+ "0" "" "" "File not found: About:Home" ""
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" "" "3/5/2013 8:45 PM"
+ "SABShellExecuteHook Class" "ShellExecuteHook" "SuperAdBlocker.com" "c:\program files\superantispyware\sasseh.dll" "7/18/2011 5:22 PM"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" "" "3/3/2013 5:37 AM"
+ "AVG Shell Extension" "AVG Shell Extension" "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgse.dll" "10/22/2012 5:02 AM"
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll" "7/18/2011 5:34 PM"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" "" "3/3/2013 11:47 AM"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" "12/14/2012 2:52 PM"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" "" "3/3/2013 5:37 AM"
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll" "7/18/2011 5:34 PM"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" "" "3/3/2013 11:47 AM"
+ "AVG Shell Extension" "AVG Shell Extension" "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgse.dll" "10/22/2012 5:02 AM"
+ "MBAMShlExt" "Malwarebytes Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" "12/14/2012 2:52 PM"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" "" "3/5/2013 8:45 PM"
+ "RealNetworks Download and Record Plugin for Internet Explorer" "RealPlayer Download and Record Plugin" "RealDownloader" "c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll" "11/29/2012 10:33 PM"
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" "" "3/27/2013 10:59 PM"
+ "Windows Messenger" "Windows Messenger" "Microsoft Corporation" "c:\program files\messenger\msmsgs.exe" "8/3/2004 11:59 PM"
"Task Scheduler" "" "" "" ""
+ "Adobe Flash Player Updater.job" "Adobe® Flash® Player Update Service 11.6 r602" "Adobe Systems Incorporated" "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe" "2/28/2013 8:40 PM"
+ "RealPlayerRealUpgradeLogonTaskS-1-5-21-1214440339-261903793-725345543-1004.job" "RealUpgrade Launcher" "RealNetworks, Inc." "c:\program files\real\realupgrade\realupgrade.exe" "11/30/2012 5:30 PM"
+ "RealPlayerRealUpgradeScheduledTaskS-1-5-21-1214440339-261903793-725345543-1004.job" "RealUpgrade Launcher" "RealNetworks, Inc." "c:\program files\real\realupgrade\realupgrade.exe" "11/30/2012 5:30 PM"
+ "ReclaimerUpdateFiles_Thinderbolt.job" "RealNetworks Installer" "RealNetworks, Inc." "c:\documents and settings\thinderbolt\application data\real\update\upgradehelper\realplayer\10.40\agent\rnupgagent.exe" "2/13/2013 5:31 PM"
+ "ReclaimerUpdateXML_Thinderbolt.job" "RealNetworks Installer" "RealNetworks, Inc." "c:\documents and settings\thinderbolt\application data\real\update\upgradehelper\realplayer\10.40\agent\rnupgagent.exe" "2/13/2013 5:31 PM"
+ "RNUpgradeHelperLogonPrompt_Thinderbolt.job" "RealNetworks Installer" "RealNetworks, Inc." "c:\documents and settings\thinderbolt\application data\real\update\upgradehelper\realplayer\10.40\agent\rnupgagent.exe" "2/13/2013 5:31 PM"
"HKLM\System\CurrentControlSet\Services" "" "" "" "3/9/2013 3:38 PM"
+ "!SASCORE" "SUPERAntiSpyware Core Service" "SUPERAntiSpyware.com" "c:\program files\superantispyware\sascore.exe" "7/11/2012 12:54 PM"
+ "AdobeFlashPlayerUpdateSvc" "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes." "Adobe Systems Incorporated" "c:\windows\system32\macromed\flash\flashplayerupdateservice.exe" "2/28/2013 8:40 PM"
+ "AppMgmt" "Provides software installation services such as Assign, Publish, and Remove." "" "File not found: C:\WINDOWS\System32\appmgmts.dll" ""
+ "AVGIDSAgent" "Provides Identity Protection Against Cyber Crime." "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgidsagent.exe" "11/15/2012 2:56 PM"
+ "avgwd" "AVG Watchdog Service" "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgwdsvc.exe" "10/22/2012 3:06 AM"
+ "MozillaMaintenance" "The Mozilla Maintenance Service ensures that you have the latest and most secure version of Mozilla Firefox on your computer. Keeping Firefox up to date is very important for your online security, and Mozilla strongly recommends that you keep this service enabled." "Mozilla Foundation" "c:\program files\mozilla maintenance service\maintenanceservice.exe" "3/7/2013 6:32 AM"
+ "RalinkRegistryWriter" "RalinkRegistryWriter" "Ralink Technology, Corp." "c:\program files\ralink\common\raregistry.exe" "11/10/2010 8:51 PM"
+ "RaMediaServer" "RaMediaServer. If the service is disabled, UPnP Media Server function will not work." "" "c:\program files\ralink\common\ramediaserver.exe" "11/26/2010 12:38 AM"
+ "RealNetworks Downloader Resolver Service" "Manage different Downloader versions in RealNetworks' products." "" "c:\program files\realnetworks\realdownloader\rndlresolversvc.exe" "11/29/2012 10:31 PM"
"HKLM\System\CurrentControlSet\Services" "" "" "" "3/9/2013 3:38 PM"
+ "AVGIDSDriver" "AVG Technologies IDS Application Activity Monitor Driver" "AVG Technologies CZ, s.r.o. " "c:\windows\system32\drivers\avgidsdriverx.sys" "10/22/2012 4:46 AM"
+ "AVGIDSHX" "AVG Technologies IDS Application Activity Monitor Helper Driver" "AVG Technologies CZ, s.r.o. " "c:\windows\system32\drivers\avgidshx.sys" "10/14/2012 7:22 PM"
+ "AVGIDSShim" "AVG Technologies IDS Application Activity Monitor Shim Loader Driver" "AVG Technologies CZ, s.r.o. " "c:\windows\system32\drivers\avgidsshimx.sys" "9/20/2012 7:20 PM"
+ "Avgldx86" "AVG AVI Loader Driver" "AVG Technologies CZ, s.r.o." "c:\windows\system32\drivers\avgldx86.sys" "10/1/2012 7:05 PM"
+ "Avglogx" "AVG Logging Driver" "AVG Technologies CZ, s.r.o." "c:\windows\system32\drivers\avglogx.sys" "9/20/2012 7:22 PM"
+ "Avgmfx86" "AVG Resident Shield Minifilter Driver" "AVG Technologies CZ, s.r.o." "c:\windows\system32\drivers\avgmfx86.sys" "11/15/2012 4:03 PM"
+ "Avgrkx86" "AVG Anti-Rootkit Driver" "AVG Technologies CZ, s.r.o." "c:\windows\system32\drivers\avgrkx86.sys" "9/13/2012 6:40 PM"
+ "Avgtdix" "AVG Network connection watcher" "AVG Technologies CZ, s.r.o." "c:\windows\system32\drivers\avgtdix.sys" "9/20/2012 7:24 PM"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys" ""
+ "ctljystk" "Creative Joyport Enabler" "Creative Technology Ltd." "c:\windows\system32\drivers\ctljystk.sys" "7/19/2001 4:28 PM"
+ "emu10k" "Creative SB Live! Adapter Driver" "Creative Technology Ltd." "c:\windows\system32\drivers\emu10k1m.sys" "8/3/2001 8:36 PM"
+ "emu10k1" "Creative SB Live! Interface Driver" "Creative Technology Ltd." "c:\windows\system32\drivers\ctlfacem.sys" "8/3/2001 8:36 PM"
+ "esgiguard" "" "" "File not found: C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys" ""
+ "HSF_DP" "HSF_DP driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsfdpsp2.sys" "6/17/2004 4:55 PM"
+ "HSFHWBS2" "HSF_HWB2 WDM driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsfbs2s2.sys" "6/17/2004 4:56 PM"
+ "i2omgmt" "" "" "File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys" ""
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys" ""
+ "mdmxsdk" "Diagnostic Interface DRIVER" "Conexant" "c:\windows\system32\drivers\mdmxsdk.sys" "3/17/2004 1:04 PM"
+ "nv" "NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 " "NVIDIA Corporation" "c:\windows\system32\drivers\nv4_mini.sys" "4/7/2004 8:30 PM"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys" ""
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys" ""
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys" ""
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys" ""
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys" ""
+ "Ptilink" "Direct Parallel Link Driver" "Parallel Technologies, Inc." "c:\windows\system32\drivers\ptilink.sys" "8/17/2001 2:49 PM"
+ "rtl8139" "Realtek RTL8139 NDIS 5.0 Driver" "Realtek Semiconductor Corporation" "c:\windows\system32\drivers\rtl8139.sys" "6/12/2003 11:29 PM"
+ "SASDIFSV" "SASDIFSV.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\program files\superantispyware\sasdifsv.sys" "7/21/2011 5:03 PM"
+ "SASKUTIL" "SASKUTIL.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\program files\superantispyware\saskutil.sys" "7/12/2011 2:24 PM"
+ "Secdrv" "SafeDisc driver" "" "c:\windows\system32\drivers\secdrv.sys" "2/9/2001 10:51 AM"
+ "sfman" "SoundFont® Manager" "Creative Technology Ltd." "c:\windows\system32\drivers\sfmanm.sys" "8/3/2001 8:36 PM"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys" ""
+ "winachsf" "HSF_CNXT driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsfcxts2.sys" "6/17/2004 4:55 PM"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" "" "3/27/2013 11:00 PM"
+ "aux" "Creative WDM Driver" "Creative Technology Ltd." "c:\windows\system32\ctwdm32.dll" "8/17/2001 11:33 PM"
+ "msacm.iac2" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax" "8/4/2004 1:56 AM"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm" "8/4/2004 1:56 AM"
+ "msacm.sl_anet" "Audio codec for MS ACM" "Sipro Lab Telecom Inc." "c:\windows\system32\sl_anet.acm" "8/4/2004 1:56 AM"
+ "msacm.trspch" "DSP Group TrueSpeech™ Audio Codec for MSACM V3.50" "DSP GROUP, INC." "c:\windows\system32\tssoft32.acm" "8/17/2001 11:35 PM"
+ "vidc.cvid" "Cinepak® Codec" "Radius Inc." "c:\windows\system32\iccvid.dll" "8/4/2004 1:56 AM"
+ "vidc.iv31" "" "" "c:\windows\system32\ir32_32.dll" "8/17/2001 11:33 PM"
+ "vidc.iv32" "" "" "c:\windows\system32\ir32_32.dll" "8/17/2001 11:33 PM"
+ "vidc.iv41" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax" "8/4/2004 1:56 AM"
+ "vidc.iv50" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll" "8/4/2004 1:56 AM"
"HKLM\Software\Classes\Filter" "" "" "" "3/27/2013 10:41 PM"
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax" "8/4/2004 1:56 AM"
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax" "8/4/2004 1:56 AM"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax" "8/4/2004 1:56 AM"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax" "8/4/2004 1:56 AM"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" "" "3/3/2013 11:47 AM"
+ "9x8Resize" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "ACELP.net Audio Decoder" "ACELP.net Audio Decoder" "Sipro Lab Telecom Inc." "c:\windows\system32\acelpdec.ax" "8/17/2001 11:35 PM"
+ "Allocator Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "Bitmap" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "Frame Eater" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "Indeo® audio software" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax" "8/4/2004 1:56 AM"
+ "Indeo® video 5.10 Compression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll" "8/4/2004 1:56 AM"
+ "Indeo® video 5.10 Decompression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll" "8/4/2004 1:56 AM"
+ "MPEG Layer-3 Decoder" "MPEG Layer-3 Audio Decoder" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codecx.ax" "8/17/2001 11:33 PM"
+ "RealPlayer Audio Filter" "Audio Filter Plugin" "RealNetworks, Inc." "c:\program files\real\realplayer\rdsf3260.dll" "11/30/2012 5:23 PM"
+ "RealPlayer Mp3 Transform Filter" "Audio Filter Plugin" "RealNetworks, Inc." "c:\program files\real\realplayer\rdsf3260.dll" "11/30/2012 5:23 PM"
+ "RealPlayer MPEG4 Transform Filter" "Audio Filter Plugin" "RealNetworks, Inc." "c:\program files\real\realplayer\rdsf3260.dll" "11/30/2012 5:23 PM"
+ "RealPlayer Transcode Filter" "Audio Filter Plugin" "RealNetworks, Inc." "c:\program files\real\realplayer\rdsf3260.dll" "11/30/2012 5:23 PM"
+ "RealPlayer Video Filter" "Audio Filter Plugin" "RealNetworks, Inc." "c:\program files\real\realplayer\rdsf3260.dll" "11/30/2012 5:23 PM"
+ "Record Queue" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "ShotDetect" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "Stetch" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WIA Stream Snapshot Filter" "WIA Stream Snapshot Filter" "MyCompanyName" "c:\windows\system32\wiasf.ax" "8/17/2001 11:35 PM"
+ "WM VIH2 Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Audio Analyzer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Black Frame Generator" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT DirectX Transform Wrapper" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT DV Extract Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT FormatConversion" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Import Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Interlacer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Log Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT MuxDeMux Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Sample Info Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Screen capture Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Switch Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Virtual Renderer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Virtual Source" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
+ "WMT Volume" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "8/4/2004 1:57 AM"
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute" "" "" "" "3/27/2013 11:00 PM"
+ "C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart" "AVG Resident Shield Service" "AVG Technologies CZ, s.r.o." "c:\program files\avg\avg2013\avgrsx.exe" "10/29/2012 8:35 PM"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" "" "3/27/2013 11:01 PM"
+ "hpzsnt07" "" "HP" "c:\windows\system32\hpzsnt07.dll" "9/5/2002 11:16 AM"
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders" "" "" "" "3/27/2013 11:00 PM"
+ "credssp.dll" "" "" "File not found: credssp.dll" ""



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:50 PM

Posted 27 March 2013 - 11:10 PM

Turn on AVG

 

Download Services repair tool from here

ServicesRepair

  • Double-click ServicesRepair.exe
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool is finished you will be prompted to restart your computer. Click Yes to restart.

Run Farbar service scanner again and post the new log



#7 laczny

laczny
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 PM

Posted 27 March 2013 - 11:35 PM

Farbar's Service Scanner log:

 

Farbar Service Scanner Version: 03-03-2013
Ran by Thinderbolt (administrator) on 27-03-2013 at 23:34:03
Running from "C:\Documents and Settings\Thinderbolt\My Documents\Downloads"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 06:00] - [2004-08-04 06:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-04 06:00] - [2004-08-04 06:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 06:00] - [2013-03-27 21:04] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-03-03 11:44] - [2004-08-04 06:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2013-03-03 11:46] - [2004-08-04 06:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-03-03 11:44] - [2004-08-04 06:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2013-03-03 11:46] - [2004-08-04 06:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2004-08-04 06:00] - [2004-08-04 06:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-04 06:00] - [2004-08-04 06:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe
[2004-08-04 06:00] - [2004-08-04 06:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Avgtdix(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:50 PM

Posted 27 March 2013 - 11:45 PM

That looks good

Remove temporary and junk files

Download Temp file cleaner from HERE.Launch it,it will close all running programs

click on START,it should ask for reboot.If TFC locks up the system,run it in safemode
 

Create a new restore point

Follow this guide to turn off and turn on your restore points

Windows XP

Vista & windows 7

Windows 8

Turn off your system restore-It deletes old infected restore points.Turn on system restore and create a new restore point

Update JAVA and Flash player

Uninstall old versions of java and flash player from control panel-Add or remove programs.Download the latest version from here

http://java.com/en/ & http://www.adobe.com/support/flashplayer/downloads.html

Antivirus recommendations

Update your antivirus frequently.Two free antivirus that i would suggest are

Microsoft security essentials or Avast.You can select either one of them.

If you have a paid one,make sure to update it frequently.Do not use multiple security softwares.

Informative guides that could prevent you from being infected again

How did I get infected?

Best Practices for Safe Computing - Prevention of Malware Infection

Simple and easy ways to keep your computer safe and secure on the Internet


Safe surfing :)



#9 laczny

laczny
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:50 PM

Posted 28 March 2013 - 12:08 AM

Thank you so very much! I was ready to chuck the CPU off  of our patio. You made this super easy to follow! Again, thank you!



#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:50 PM

Posted 28 March 2013 - 12:08 AM

:welcome:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users