Inactive [A] Infected with sirefef.y Windows XP MCE

Status
Not open for further replies.

Reptar

Posts: 44   +0
Thanks for the help on the last pc, here is the other that is killing me. Looks like sirefef struck this one too, however its not doing the 60 second reboot. It has also killed the wireless network, so no connectivity. Windows XP Media center edition.
 
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
DDS-

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Michael at 11:06:23 on 2012-06-22
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1104566655515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292358942390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{5EB74B4B-8B5E-4F8A-BD6D-FD6329B0A654} : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{B4601F68-7B62-46DD-B197-56CED4ED4D71} : DhcpNameServer = 10.0.1.99
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\vu2pgkjw.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-22 14:51:5029904----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65be77f7-1a66-40c9-919f-c44cee8ac773}\MpKsld947cd68.sys
2012-06-18 17:35:4498816----a-w-c:\windows\sed.exe
2012-06-18 17:35:44518144----a-w-c:\windows\SWREG.exe
2012-06-18 17:35:44256000----a-w-c:\windows\PEV.exe
2012-06-18 17:35:44208896----a-w-c:\windows\MBR.exe
2012-06-18 17:35:29--------d-s---w-C:\ComboFix
2012-06-18 17:33:2656200----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65be77f7-1a66-40c9-919f-c44cee8ac773}\offreg.dll
2012-06-18 16:19:55--------d-----w-C:\pebuilder3110a
2012-06-18 14:13:13--------d--h--w-C:\VritualRoot
2012-06-18 14:00:00--------d-----w-c:\windows\system32\DBBK
2012-06-13 01:08:55--------d-----w-c:\documents and settings\all users\application data\CPA_VA
2012-06-13 01:07:23609057----a-w-c:\windows\system32\drivers\sfi.dat
2012-06-13 00:47:53--------d-----w-c:\documents and settings\all users\application data\Comodo
2012-06-13 00:47:2242760----a-w-c:\windows\system32\certsentry.dll
2012-06-13 00:47:22--------d-----w-c:\documents and settings\michael\local settings\application data\COMODO
2012-06-13 00:47:11--------d-----w-c:\program files\Comodo
2012-06-13 00:47:041700352----a-w-c:\windows\system32\gdiplus.dll
2012-06-12 04:01:50675840----a-w-c:\windows\system32\NETwLc32.dll
2012-06-12 04:01:506609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
2012-06-12 04:01:502756608----a-w-c:\windows\system32\NETwLr32.dll
2012-06-12 02:16:12--------d-----w-c:\documents and settings\michael\application data\Malwarebytes
2012-06-12 02:16:03--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
2012-06-12 02:16:0122344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-12 02:16:01--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-12 02:02:5645056----a-w-c:\windows\system32\UTSCSI.EXE
2012-06-12 02:02:53--------d-----w-c:\program files\Cisco Systems
2012-06-12 02:02:52816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
2012-06-12 02:02:37--------d-----w-c:\documents and settings\all users\application data\Cisco Systems
2012-06-12 01:43:33226592---ha-w-c:\windows\system32\RaCoInst.dll
2012-06-12 01:43:331174976----a-w-c:\windows\system32\drivers\rt2870.sys
2012-06-12 01:12:07--------d-----w-c:\documents and settings\michael\application data\Intel
.
==================== Find3M ====================
.
2012-04-20 23:24:550--sha-w-c:\windows\system32\dds_trash_log.cmd
.
============= FINISH: 11:08:27.32 ===============
 
GMER-

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-22 11:02:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHV2120BH_PL rev.00000029
Running: bepub3wo.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\pwdoikob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAA3F6830]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAA3F6A86]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 
attach-

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 7.1.0
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Bewitched (remove only)
Bonjour
BroadJump Client Foundation
Click to DVD 2.0.03 Menu Data
Click to DVD 2.5.30
Comodo Dragon
COMODO GeekBuddy
COMODO Internet Security
DivX Codec
DivX Player
DivX Web Player
Google Chrome
Google Update Helper
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Image Converter 2 Plus
ImageStation
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD for VAIO
ISScript
iTunes
J2SE Runtime Environment 5.0 Update 7
JEOPARDY! (remove only)
LAN Setting Utility
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee Security Scan Plus
Memory Stick Formatter
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Security Client
Microsoft Security Essentials
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
neroxml
NVIDIA Drivers
Office 2003 Trial Assistant
OpenMG Secure Module 4.5.01
PE Builder 3.1.10a
QuickTime
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Search Enhancement by AOL Search
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Setting Utility Series
SigmaTel Audio
Sonic Encoders
SonicStage Mastering Studio 2.2
Sony Certificate PCH
Sony Ericsson Wireless Manager
Sony Ericsson Wireless Modem
Sony Ericsson Wireless Modem Driver
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
Starcraft
Symantec KB-DocID:2003093015493306
The Da Vinci Code (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VAIO Backup Utility
VAIO Breeze Wallpaper
VAIO Camera Utility
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Hardware Diagnostics
VAIO Light Flo Wallpaper
VAIO Media 5.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0
VAIO Media Registration Tool 5.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Registration
VAIO Security Center
VAIO Support Central
VAIO Update 4
VAIO Wireless LAN Setup Utility
VCRedistSetup
VideoLAN VLC media player 0.8.6e
Warcraft III: All Products
WebFldrs XP
Wheel of Fortune (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
.
==== End Of File ===========================
 
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.18.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Michael :: SONYLAPTOP [administrator]
6/22/2012 11:15:43 AM
mbam-log-2012-06-22 (11-15-43).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241947
Time elapsed: 15 minute(s), 53 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
 
ESET SCAN -

Scan Log
Version of virus signature database: 7010 (20120329)
Date: 6/22/2012 Time: 5:51:27 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
C:\pagefile.sys - error opening [4]
C:\Documents and Settings\All Users\Application Data\e2f44e\3145.mof - Win32/RogueAV.A trojan - cleaned by deleting - quarantined [1]
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{FFDDCD6C-B597-484D-BA90-708AD2F6F82C}\Microsoft\Outlook Express\Sent Items.dbx » DBX - is OK (internal scanning not performed)
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/01 - Ace Of Spades.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/02 - Love Me Like A Reptile.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/03 - Shoot You In The Back.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/04 - Live To Win.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/05 - Fast And Loose.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/06 - (We Are)The Road Crew.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/07 - Fire, Fire.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/08 - Jail Bait.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/09 - Dance.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/10 - Bite The Bullet.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/11 - The Chase Is Better Than The Catch.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/12 - The Hammer.mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/13 - Dirty Love(bonus track).mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/14 - Please Don't Touch(bonus track).mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/15 - Emergency(bonus track).mp3 - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/motorhead_-_ace_of_spades_(1996)-back.jpg - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/motorhead_-_ace_of_spades_(1996)-front.jpg - error - password-protected file
C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/Thumbs.db - error - password-protected file
C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Works\Works Source\REDIST\IE6\IENT_S1.CAB » CAB » IENT_1.CAB » CAB » MSHTML.DLL - next archive volume not found
C:\Program Files\Microsoft Works\Works Source\REDIST\IE6\IE_S1.CAB » CAB » IE_1.CAB » CAB » MSHTML.TLB - next archive volume not found
C:\Program Files\Online Services\AOL Setup\COMPS\VWPT\VWPT.EXE » NSIS - unpack error
C:\System Volume Information\_restore{ECE42D92-315C-418E-8F32-95DC4FF2BBEF}\RP463\A0054123.mof - Win32/RogueAV.A trojan - cleaned by deleting - quarantined [1]
C:\WINDOWS\system32\drivers\sfi.dat - error opening [4]
Number of scanned objects: 331765
Number of threats found: 2
Number of cleaned objects: 2
Time of completion: 7:40:10 PM Total scanning time: 6523 sec (01:48:43)

Notes:
[1] Object has been deleted as it only contained the virus body.
[4] Object cannot be opened. It may be in use by another application or operating system.
 
MABM shows nothing
MSE showed FakePAV virus
ESET showed Win32/RogueAV.A trojan

Still can not connect to the internet on this pc, it is stoping wifi and LAN packets, but connection is detected.
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I get this error when running combofix -

This machine does not have the 'Microsoft Windows recovery console' installed. Alternately, an existing installation of the recovery console may be present but requires updating.
 
now it says "you are infected with the Rootkit.ZeroAccess! It has inserted itself into the tcp/ip strack. This is a particually difficult infection. I will let it finish and report back.
 
ComboFix 12-06-21.03 - Michael 06/23/2012 0:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.473 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: AV Security Essentials *Enabled/Updated* {7DA7DC8E-089B-40BB-AC42-8650E62CACF5}
AV: COMODO Antivirus *Enabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AV Security Essentials *Enabled* {42703815-CCD4-4CF4-A42E-F919C68D0E6A}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michael\Recent\cb.dll
c:\documents and settings\Michael\Recent\cid.sys
c:\documents and settings\Michael\Recent\CLSV.drv
c:\documents and settings\Michael\Recent\eb.sys
c:\documents and settings\Michael\Recent\FS.tmp
c:\documents and settings\Michael\Recent\gid.tmp
c:\documents and settings\Michael\Recent\kernel32.dll
c:\documents and settings\Michael\Recent\kernel32.tmp
c:\documents and settings\Michael\Recent\pal.sys
c:\documents and settings\Michael\Recent\PE.sys
c:\documents and settings\Michael\Recent\PE.tmp
c:\documents and settings\Michael\Recent\runddl.dll
c:\documents and settings\Michael\Recent\sld.exe
c:\documents and settings\Michael\Recent\SM.exe
c:\windows\setupapi.log
.
.
((((((((((((((((((((((((( Files Created from 2012-05-23 to 2012-06-23 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27208184----a-w-c:\program files\Comodo\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2012-03-12 01:136749512----a-w-c:\program files\Comodo\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27182584----a-w-c:\program files\Comodo\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16997920----a-w-c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R3 AM10;Cisco AM10 Driver;c:\windows\system32\DRIVERS\AM10XP.sys [2010-02-13 816672]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\DRIVERS\GCXX.sys [2007-05-14 108928]
R3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\DRIVERS\GCXXNet.sys [2007-05-10 53248]
R3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\DRIVERS\GCXXSC.sys [2007-05-10 19328]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2012-03-12 18056]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-12 494968]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 120152]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2012-03-14 104160]
S1 MpKsl08f9c3d2;MpKsl08f9c3d2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C68A122-C221-49B4-A0EC-B543FFD9B5CE}\MpKsl08f9c3d2.sys [2012-06-23 29904]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [2012-04-13 409232]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2012-03-07 913144]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwLx32.sys [2010-10-07 6609920]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2006-03-07 30080]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL08F9C3D2
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
proxyhostdriver
epson_pm_rpcv4_01
R300
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-23 00:58
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\LMIinit.dll
c:\windows\system32\VESWinlogon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.EXE'(1704)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'csrss.exe'(496)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-06-23 01:02:37
ComboFix-quarantined-files.txt 2012-06-23 05:02
ComboFix2.txt 2012-06-22 19:41
.
Pre-Run: 53,735,858,176 bytes free
Post-Run: 53,707,776,000 bytes free
.
- - End Of File - - 2A882F415762072227D2D529627DBDCE
 
You're running three AV programs, Microsoft Security Essentials, Comodo and Eset.
You must uninstall TWO of them.

Uninstall McAfee Security Scan Plus, typical foistware.

Next....

Make sure you follow my instructions and allow Recovery Console installation on next Combofix run.


1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
SecCenter::
{7DA7DC8E-089B-40BB-AC42-8650E62CACF5}
{42703815-CCD4-4CF4-A42E-F919C68D0E6A}

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-06-21.03 - Michael 06/24/2012 16:22:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-24 20:06 . 2012-06-24 20:06--------d--h--w-c:\windows\system32\GroupPolicy
2012-06-22 21:55 . 2012-06-22 21:55--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-06-22 21:47 . 2012-06-22 21:47--------d-----w-c:\program files\ESET
2012-06-22 21:47 . 2012-06-22 21:47--------d-----w-c:\documents and settings\All Users\Application Data\ESET
2012-06-22 21:41 . 2012-06-22 21:41--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\Sun
2012-06-22 21:26 . 2012-06-22 21:25772592----a-w-c:\windows\system32\npDeployJava1.dll
2012-06-22 21:26 . 2012-06-22 21:25687600----a-w-c:\windows\system32\deployJava1.dll
2012-06-22 21:26 . 2012-06-22 21:25143872----a-w-c:\windows\system32\javacpl.cpl
2012-06-22 21:16 . 2012-06-22 21:16--------d-----w-C:\regbak
2012-06-22 19:28 . 2008-04-13 19:21162816-c--a-w-c:\windows\system32\dllcache\netbt.sys
2012-06-22 19:28 . 2008-04-13 19:21162816----a-w-c:\windows\system32\drivers\netbt.sys
2012-06-22 15:33 . 2012-06-22 15:33--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\PCHealth
2012-06-22 15:13 . 2008-04-13 21:1121504-c--a-w-c:\windows\system32\dllcache\hidserv.dll
2012-06-22 15:13 . 2008-04-13 21:1121504----a-w-c:\windows\system32\hidserv.dll
2012-06-22 15:08 . 2012-06-22 15:08--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-06-18 16:19 . 2012-06-18 16:28--------d-----w-C:\pebuilder3110a
2012-06-18 14:00 . 2012-06-18 14:14--------d-----w-c:\windows\system32\DBBK
2012-06-13 01:08 . 2012-06-13 01:08--------d-----w-c:\documents and settings\All Users\Application Data\CPA_VA
2012-06-13 01:07 . 2012-06-24 20:091474832----a-w-c:\windows\system32\drivers\sfi.dat
2012-06-13 00:47 . 2012-06-24 20:04--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\COMODO
2012-06-13 00:47 . 2012-06-13 00:471700352----a-w-c:\windows\system32\gdiplus.dll
2012-06-12 23:53 . 2012-06-12 23:53--------d-----w-c:\documents and settings\Administrator\Application Data\U3
2012-06-12 23:47 . 2012-06-12 23:47--------d-----w-c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-06-12 23:47 . 2012-06-12 23:47--------d-sh--w-c:\documents and settings\Administrator\IETldCache
2012-06-12 04:01 . 2010-10-07 11:116609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
2012-06-12 04:01 . 2010-02-24 23:39675840----a-w-c:\windows\system32\NETwLc32.dll
2012-06-12 04:01 . 2010-02-24 23:372756608----a-w-c:\windows\system32\NETwLr32.dll
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\Michael\Application Data\Malwarebytes
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-12 02:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-12 02:02 . 2012-06-12 02:0245056----a-w-c:\windows\system32\UTSCSI.EXE
2012-06-12 02:02 . 2012-06-13 00:01--------d-----w-c:\program files\Cisco Systems
2012-06-12 02:02 . 2010-02-13 08:36816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
2012-06-12 02:02 . 2012-06-12 02:02--------d-----w-c:\documents and settings\All Users\Application Data\Cisco Systems
2012-06-12 01:43 . 2011-04-25 14:311174976----a-w-c:\windows\system32\drivers\rt2870.sys
2012-06-12 01:43 . 2010-02-13 08:36226592---ha-w-c:\windows\system32\RaCoInst.dll
2012-06-12 01:12 . 2012-06-12 01:40--------d-----w-c:\documents and settings\Michael\Application Data\Intel
2012-06-12 01:10 . 2012-06-12 01:40--------d-----w-c:\documents and settings\All Users\Application Data\Intel
2012-06-12 00:40 . 2012-06-22 15:14--------d-----w-c:\documents and settings\Michael\Application Data\U3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 8:40 AM 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 8:40 AM 104160]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/7/2012 3:40 PM 913144]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [6/12/2012 12:01 AM 6609920]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/24/2006 1:28 PM 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/24/2006 1:28 PM 226304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [6/11/2012 10:02 PM 816672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [12/30/2007 12:15 PM 108928]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [12/30/2007 12:15 PM 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/30/2007 12:15 PM 19328]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
proxyhostdriver
epson_pm_rpcv4_01
R300
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-COMODO - c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe
MSConfigStartUp-CPA - c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 16:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\LMIinit.dll
c:\windows\system32\VESWinlogon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-06-24 16:34:38
ComboFix-quarantined-files.txt 2012-06-24 20:34
ComboFix2.txt 2012-06-23 05:02
ComboFix3.txt 2012-06-22 19:41
.
Pre-Run: 54,051,647,488 bytes free
Post-Run: 54,112,763,904 bytes free
.
- - End Of File - - 23FE0D7285FAE26A969718FD406195A8
 
1. You didn't follow my latest instructions:
You're running three AV programs, Microsoft Security Essentials, Comodo and Eset.
You must uninstall TWO of them.

Uninstall McAfee Security Scan Plus, typical foistware.

2. You didn't follow Combofix instructions which ask you to allow Recovery Console installation.

When done with #1 re-run Combofix, allow RC installation and post new log.

p4494882.gif
 
ComboFix 12-06-25.03 - Michael 06/25/2012 12:55:27.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.675 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
/wow section - STAGE 48
.
/wow section - STAGE 50
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-24 20:06 . 2012-06-24 20:06--------d--h--w-c:\windows\system32\GroupPolicy
2012-06-22 21:55 . 2012-06-22 21:55--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-06-22 21:41 . 2012-06-22 21:41--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\Sun
2012-06-22 21:26 . 2012-06-22 21:25772592----a-w-c:\windows\system32\npDeployJava1.dll
2012-06-22 21:26 . 2012-06-22 21:25687600----a-w-c:\windows\system32\deployJava1.dll
2012-06-22 21:26 . 2012-06-22 21:25143872----a-w-c:\windows\system32\javacpl.cpl
2012-06-22 21:16 . 2012-06-22 21:16--------d-----w-C:\regbak
2012-06-22 19:28 . 2008-04-13 19:21162816-c--a-w-c:\windows\system32\dllcache\netbt.sys
2012-06-22 19:28 . 2008-04-13 19:21162816----a-w-c:\windows\system32\drivers\netbt.sys
2012-06-22 15:33 . 2012-06-22 15:33--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\PCHealth
2012-06-22 15:13 . 2008-04-13 21:1121504-c--a-w-c:\windows\system32\dllcache\hidserv.dll
2012-06-22 15:13 . 2008-04-13 21:1121504----a-w-c:\windows\system32\hidserv.dll
2012-06-22 15:08 . 2012-06-22 15:08--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-06-18 16:19 . 2012-06-18 16:28--------d-----w-C:\pebuilder3110a
2012-06-18 14:00 . 2012-06-18 14:14--------d-----w-c:\windows\system32\DBBK
2012-06-13 01:08 . 2012-06-13 01:08--------d-----w-c:\documents and settings\All Users\Application Data\CPA_VA
2012-06-13 01:07 . 2012-06-24 20:091474832----a-w-c:\windows\system32\drivers\sfi.dat
2012-06-13 00:47 . 2012-06-24 20:04--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\COMODO
2012-06-13 00:47 . 2012-06-13 00:471700352----a-w-c:\windows\system32\gdiplus.dll
2012-06-12 23:53 . 2012-06-12 23:53--------d-----w-c:\documents and settings\Administrator\Application Data\U3
2012-06-12 23:47 . 2012-06-12 23:47--------d-----w-c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-06-12 23:47 . 2012-06-12 23:47--------d-sh--w-c:\documents and settings\Administrator\IETldCache
2012-06-12 04:01 . 2010-10-07 11:116609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
2012-06-12 04:01 . 2010-02-24 23:39675840----a-w-c:\windows\system32\NETwLc32.dll
2012-06-12 04:01 . 2010-02-24 23:372756608----a-w-c:\windows\system32\NETwLr32.dll
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\Michael\Application Data\Malwarebytes
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-06-12 02:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-12 02:02 . 2012-06-12 02:0245056----a-w-c:\windows\system32\UTSCSI.EXE
2012-06-12 02:02 . 2012-06-13 00:01--------d-----w-c:\program files\Cisco Systems
2012-06-12 02:02 . 2010-02-13 08:36816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
2012-06-12 02:02 . 2012-06-12 02:02--------d-----w-c:\documents and settings\All Users\Application Data\Cisco Systems
2012-06-12 01:43 . 2011-04-25 14:311174976----a-w-c:\windows\system32\drivers\rt2870.sys
2012-06-12 01:43 . 2010-02-13 08:36226592---ha-w-c:\windows\system32\RaCoInst.dll
2012-06-12 01:12 . 2012-06-12 01:40--------d-----w-c:\documents and settings\Michael\Application Data\Intel
2012-06-12 01:10 . 2012-06-12 01:40--------d-----w-c:\documents and settings\All Users\Application Data\Intel
2012-06-12 00:40 . 2012-06-22 15:14--------d-----w-c:\documents and settings\Michael\Application Data\U3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [6/12/2012 12:01 AM 6609920]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/24/2006 1:28 PM 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/24/2006 1:28 PM 226304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [6/11/2012 10:02 PM 816672]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [12/30/2007 12:15 PM 108928]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [12/30/2007 12:15 PM 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/30/2007 12:15 PM 19328]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
proxyhostdriver
epson_pm_rpcv4_01
R300
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-25 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\LMIinit.dll
c:\windows\system32\VESWinlogon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-06-25 13:05:05
ComboFix-quarantined-files.txt 2012-06-25 17:05
ComboFix2.txt 2012-06-24 20:34
ComboFix3.txt 2012-06-23 05:02
ComboFix4.txt 2012-06-22 19:41
.
Pre-Run: 54,432,665,600 bytes free
Post-Run: 54,436,085,760 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 598E762EC01029419941779172D1F787
 
Looks good.

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /I " " /c
dir /b "%systemroot%\*.exe" | find /I " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
upon boot I got a windows registry recovery error and pc crashed, after reboot no more registry error, but pc can still not connect to the internet. I am running OTL and will post results soon.
 
When I got the virus. Ive tried a few things to no avail. Tried internal and external wireless adapters, also tried a LAN cable and it didnt work, so that rules out hardware failure. I am able to connect to router via wifi, but no packets are transferred. Combofix always had an alert about a rootkit virus whenever I ran it. Im running OTL now and will report back.
 
Status
Not open for further replies.
Back