[A] Infected with sirefef.y Windows XP MCE

Inactive
By Reptar
Jun 18, 2012
Topic Status:
Not open for further replies.
  1. Thanks for the help on the last pc, here is the other that is killing me. Looks like sirefef struck this one too, however its not doing the 60 second reboot. It has also killed the wireless network, so no connectivity. Windows XP Media center edition.
  2. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    it looks like the GMER links in the 5-step removal guide are invalid, you may want to update the guide.

    I was able to download GMER from here - http://www.gmer.net/#files
  4. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    DDS-

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Michael at 11:06:23 on 2012-06-22
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
    mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
    mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
    mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
    mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
    mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
    mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
    mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    uPolicies-explorer: DisallowRun = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1104566655515
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292358942390
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    TCP: DhcpNameServer = 10.0.1.1
    TCP: Interfaces\{5EB74B4B-8B5E-4F8A-BD6D-FD6329B0A654} : DhcpNameServer = 10.0.1.1
    TCP: Interfaces\{B4601F68-7B62-46DD-B197-56CED4ED4D71} : DhcpNameServer = 10.0.1.99
    Notify: igfxcui - igfxdev.dll
    Notify: LMIinit - LMIinit.dll
    Notify: VESWinlogon - VESWinlogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    IFEO: image file execution options - svchost.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\vu2pgkjw.default\
    FF - prefs.js: browser.search.selectedEngine - search
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2012-06-22 14:51:5029904----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65be77f7-1a66-40c9-919f-c44cee8ac773}\MpKsld947cd68.sys
    2012-06-18 17:35:4498816----a-w-c:\windows\sed.exe
    2012-06-18 17:35:44518144----a-w-c:\windows\SWREG.exe
    2012-06-18 17:35:44256000----a-w-c:\windows\PEV.exe
    2012-06-18 17:35:44208896----a-w-c:\windows\MBR.exe
    2012-06-18 17:35:29--------d-s---w-C:\ComboFix
    2012-06-18 17:33:2656200----a-w-c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65be77f7-1a66-40c9-919f-c44cee8ac773}\offreg.dll
    2012-06-18 16:19:55--------d-----w-C:\pebuilder3110a
    2012-06-18 14:13:13--------d--h--w-C:\VritualRoot
    2012-06-18 14:00:00--------d-----w-c:\windows\system32\DBBK
    2012-06-13 01:08:55--------d-----w-c:\documents and settings\all users\application data\CPA_VA
    2012-06-13 01:07:23609057----a-w-c:\windows\system32\drivers\sfi.dat
    2012-06-13 00:47:53--------d-----w-c:\documents and settings\all users\application data\Comodo
    2012-06-13 00:47:2242760----a-w-c:\windows\system32\certsentry.dll
    2012-06-13 00:47:22--------d-----w-c:\documents and settings\michael\local settings\application data\COMODO
    2012-06-13 00:47:11--------d-----w-c:\program files\Comodo
    2012-06-13 00:47:041700352----a-w-c:\windows\system32\gdiplus.dll
    2012-06-12 04:01:50675840----a-w-c:\windows\system32\NETwLc32.dll
    2012-06-12 04:01:506609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
    2012-06-12 04:01:502756608----a-w-c:\windows\system32\NETwLr32.dll
    2012-06-12 02:16:12--------d-----w-c:\documents and settings\michael\application data\Malwarebytes
    2012-06-12 02:16:03--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
    2012-06-12 02:16:0122344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-12 02:16:01--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-12 02:02:5645056----a-w-c:\windows\system32\UTSCSI.EXE
    2012-06-12 02:02:53--------d-----w-c:\program files\Cisco Systems
    2012-06-12 02:02:52816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
    2012-06-12 02:02:37--------d-----w-c:\documents and settings\all users\application data\Cisco Systems
    2012-06-12 01:43:33226592---ha-w-c:\windows\system32\RaCoInst.dll
    2012-06-12 01:43:331174976----a-w-c:\windows\system32\drivers\rt2870.sys
    2012-06-12 01:12:07--------d-----w-c:\documents and settings\michael\application data\Intel
    .
    ==================== Find3M ====================
    .
    2012-04-20 23:24:550--sha-w-c:\windows\system32\dds_trash_log.cmd
    .
    ============= FINISH: 11:08:27.32 ===============
  5. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    GMER-

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-06-22 11:02:01
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHV2120BH_PL rev.00000029
    Running: bepub3wo.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\pwdoikob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAA3F6830]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAA3F6A86]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  6. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    attach-

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Viewer CS3
    Adobe PDF Library Files
    Adobe Reader 7.1.0
    Adobe Setup
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Bewitched (remove only)
    Bonjour
    BroadJump Client Foundation
    Click to DVD 2.0.03 Menu Data
    Click to DVD 2.5.30
    Comodo Dragon
    COMODO GeekBuddy
    COMODO Internet Security
    DivX Codec
    DivX Player
    DivX Web Player
    Google Chrome
    Google Update Helper
    HDAUDIO SoftV92 Data Fax Modem with SmartCP
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 10 (KB910393)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Image Converter 2 Plus
    ImageStation
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    InterVideo WinDVD for VAIO
    ISScript
    iTunes
    J2SE Runtime Environment 5.0 Update 7
    JEOPARDY! (remove only)
    LAN Setting Utility
    Macromedia Flash Player 8
    Macromedia Flash Player 8 Plugin
    Malwarebytes Anti-Malware version 1.61.0.1400
    McAfee Security Scan Plus
    Memory Stick Formatter
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB2656378)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Starter Edition 2006
    Microsoft Digital Image Starter Edition 2006 Editor
    Microsoft Digital Image Starter Edition 2006 Library
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft SQL Server Desktop Engine (VAIO_VEDB)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft XML Parser
    Mozilla Firefox 11.0 (x86 en-US)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    neroxml
    NVIDIA Drivers
    Office 2003 Trial Assistant
    OpenMG Secure Module 4.5.01
    PE Builder 3.1.10a
    QuickTime
    Roxio DigitalMedia Audio
    Roxio DigitalMedia Copy
    Roxio DigitalMedia Data
    Search Enhancement by AOL Search
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Setting Utility Series
    SigmaTel Audio
    Sonic Encoders
    SonicStage Mastering Studio 2.2
    Sony Certificate PCH
    Sony Ericsson Wireless Manager
    Sony Ericsson Wireless Modem
    Sony Ericsson Wireless Modem Driver
    Sony MP4 Shared Library
    Sony USB Mouse
    Sony Utilities DLL
    Sony Video Shared Library
    Starcraft
    Symantec KB-DocID:2003093015493306
    The Da Vinci Code (remove only)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    VAIO Backup Utility
    VAIO Breeze Wallpaper
    VAIO Camera Utility
    VAIO Central
    VAIO Entertainment Platform
    VAIO Event Service
    VAIO Hardware Diagnostics
    VAIO Light Flo Wallpaper
    VAIO Media 5.0
    VAIO Media AC3 Decoder 1.0
    VAIO Media Integrated Server 5.0
    VAIO Media Redistribution 5.0
    VAIO Media Registration Tool 5.0
    VAIO Original Screen Saver
    VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
    VAIO Power Management
    VAIO Registration
    VAIO Security Center
    VAIO Support Central
    VAIO Update 4
    VAIO Wireless LAN Setup Utility
    VCRedistSetup
    VideoLAN VLC media player 0.8.6e
    Warcraft III: All Products
    WebFldrs XP
    Wheel of Fortune (remove only)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix [See KB886612 for more information]
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Media Center Edition 2005 KB2502898
    Windows XP Media Center Edition 2005 KB2619340
    Windows XP Media Center Edition 2005 KB2628259
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== End Of File ===========================
  7. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    I still need MBAM log.
  8. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    *edit* This may not be sirefef after all.
  9. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.18.05
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Michael :: SONYLAPTOP [administrator]
    6/22/2012 11:15:43 AM
    mbam-log-2012-06-22 (11-15-43).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 241947
    Time elapsed: 15 minute(s), 53 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  10. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    ESET SCAN -

    Scan Log
    Version of virus signature database: 7010 (20120329)
    Date: 6/22/2012 Time: 5:51:27 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
    C:\pagefile.sys - error opening [4]
    C:\Documents and Settings\All Users\Application Data\e2f44e\3145.mof - Win32/RogueAV.A trojan - cleaned by deleting - quarantined [1]
    C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{FFDDCD6C-B597-484D-BA90-708AD2F6F82C}\Microsoft\Outlook Express\Sent Items.dbx » DBX - is OK (internal scanning not performed)
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/01 - Ace Of Spades.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/02 - Love Me Like A Reptile.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/03 - Shoot You In The Back.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/04 - Live To Win.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/05 - Fast And Loose.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/06 - (We Are)The Road Crew.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/07 - Fire, Fire.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/08 - Jail Bait.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/09 - Dance.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/10 - Bite The Bullet.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/11 - The Chase Is Better Than The Catch.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/12 - The Hammer.mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/13 - Dirty Love(bonus track).mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/14 - Please Don't Touch(bonus track).mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/15 - Emergency(bonus track).mp3 - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/motorhead_-_ace_of_spades_(1996)-back.jpg - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/motorhead_-_ace_of_spades_(1996)-front.jpg - error - password-protected file
    C:\Documents and Settings\Michael\My Documents\Downloads\1980 -Motorhead - Ace Of Spades - Apologize.zip » ZIP » 1980 -Motorhead - Ace Of Spades/Thumbs.db - error - password-protected file
    C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)
    C:\Program Files\Microsoft Works\Works Source\REDIST\IE6\IENT_S1.CAB » CAB » IENT_1.CAB » CAB » MSHTML.DLL - next archive volume not found
    C:\Program Files\Microsoft Works\Works Source\REDIST\IE6\IE_S1.CAB » CAB » IE_1.CAB » CAB » MSHTML.TLB - next archive volume not found
    C:\Program Files\Online Services\AOL Setup\COMPS\VWPT\VWPT.EXE » NSIS - unpack error
    C:\System Volume Information\_restore{ECE42D92-315C-418E-8F32-95DC4FF2BBEF}\RP463\A0054123.mof - Win32/RogueAV.A trojan - cleaned by deleting - quarantined [1]
    C:\WINDOWS\system32\drivers\sfi.dat - error opening [4]
    Number of scanned objects: 331765
    Number of threats found: 2
    Number of cleaned objects: 2
    Time of completion: 7:40:10 PM Total scanning time: 6523 sec (01:48:43)

    Notes:
    [1] Object has been deleted as it only contained the virus body.
    [4] Object cannot be opened. It may be in use by another application or operating system.
  11. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    MABM shows nothing
    MSE showed FakePAV virus
    ESET showed Win32/RogueAV.A trojan

    Still can not connect to the internet on this pc, it is stoping wifi and LAN packets, but connection is detected.
  12. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    Also, I now see AV security essentials installed
  13. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  14. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    I get this error when running combofix -

    This machine does not have the 'Microsoft Windows recovery console' installed. Alternately, an existing installation of the recovery console may be present but requires updating.
  15. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    now it says "you are infected with the Rootkit.ZeroAccess! It has inserted itself into the tcp/ip strack. This is a particually difficult infection. I will let it finish and report back.
  16. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    ComboFix 12-06-21.03 - Michael 06/23/2012 0:45.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.473 [GMT -4:00]
    Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
    AV: AV Security Essentials *Enabled/Updated* {7DA7DC8E-089B-40BB-AC42-8650E62CACF5}
    AV: COMODO Antivirus *Enabled/Outdated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    FW: AV Security Essentials *Enabled* {42703815-CCD4-4CF4-A42E-F919C68D0E6A}
    * Resident AV is active
    .
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Michael\Recent\cb.dll
    c:\documents and settings\Michael\Recent\cid.sys
    c:\documents and settings\Michael\Recent\CLSV.drv
    c:\documents and settings\Michael\Recent\eb.sys
    c:\documents and settings\Michael\Recent\FS.tmp
    c:\documents and settings\Michael\Recent\gid.tmp
    c:\documents and settings\Michael\Recent\kernel32.dll
    c:\documents and settings\Michael\Recent\kernel32.tmp
    c:\documents and settings\Michael\Recent\pal.sys
    c:\documents and settings\Michael\Recent\PE.sys
    c:\documents and settings\Michael\Recent\PE.tmp
    c:\documents and settings\Michael\Recent\runddl.dll
    c:\documents and settings\Michael\Recent\sld.exe
    c:\documents and settings\Michael\Recent\SM.exe
    c:\windows\setupapi.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-23 to 2012-06-23 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
    backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1 [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
    2011-11-23 10:27208184----a-w-c:\program files\Comodo\COMODO GeekBuddy\CLPSLA.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
    2012-03-12 01:136749512----a-w-c:\program files\Comodo\COMODO Internet Security\cfp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
    2011-11-23 10:27182584----a-w-c:\program files\Comodo\COMODO GeekBuddy\VALA.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
    2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
    2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
    2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
    2011-06-15 19:16997920----a-w-c:\program files\Microsoft Security Client\msseces.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
    2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
    2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
    2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec Core LC"=3 (0x3)
    "LogMeIn"=2 (0x2)
    "LMIMaint"=2 (0x2)
    "AVGEMS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Polycom\\PVX\\vvsys.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
    R3 AM10;Cisco AM10 Driver;c:\windows\system32\DRIVERS\AM10XP.sys [2010-02-13 816672]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\DRIVERS\GCXX.sys [2007-05-14 108928]
    R3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\DRIVERS\GCXXNet.sys [2007-05-10 53248]
    R3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\DRIVERS\GCXXSC.sys [2007-05-10 19328]
    R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
    S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2012-03-12 18056]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-12 494968]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 120152]
    S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2012-03-14 104160]
    S1 MpKsl08f9c3d2;MpKsl08f9c3d2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2C68A122-C221-49B4-A0EC-B543FFD9B5CE}\MpKsl08f9c3d2.sys [2012-06-23 29904]
    S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
    S2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [2012-04-13 409232]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2012-03-07 913144]
    S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
    S3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwLx32.sys [2010-10-07 6609920]
    S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2006-03-07 30080]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL08F9C3D2
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    proxyhostdriver
    epson_pm_rpcv4_01
    R300
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-23 00:58
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(532)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\VESWinlogon.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'lsass.exe'(588)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'Explorer.EXE'(1704)
    c:\windows\system32\WININET.dll
    c:\windows\system32\guard32.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    - - - - - - - > 'csrss.exe'(496)
    c:\windows\system32\cmdcsr.dll
    .
    Completion time: 2012-06-23 01:02:37
    ComboFix-quarantined-files.txt 2012-06-23 05:02
    ComboFix2.txt 2012-06-22 19:41
    .
    Pre-Run: 53,735,858,176 bytes free
    Post-Run: 53,707,776,000 bytes free
    .
    - - End Of File - - 2A882F415762072227D2D529627DBDCE
  17. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    You're running three AV programs, Microsoft Security Essentials, Comodo and Eset.
    You must uninstall TWO of them.

    Uninstall McAfee Security Scan Plus, typical foistware.

    Next....

    Make sure you follow my instructions and allow Recovery Console installation on next Combofix run.


    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    SecCenter::
    {7DA7DC8E-089B-40BB-AC42-8650E62CACF5}
    {42703815-CCD4-4CF4-A42E-F919C68D0E6A}
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  18. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    ComboFix 12-06-21.03 - Michael 06/24/2012 16:22:46.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -4:00]
    Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
    AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    * Resident AV is active
    .
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-24 20:06 . 2012-06-24 20:06--------d--h--w-c:\windows\system32\GroupPolicy
    2012-06-22 21:55 . 2012-06-22 21:55--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\ESET
    2012-06-22 21:47 . 2012-06-22 21:47--------d-----w-c:\program files\ESET
    2012-06-22 21:47 . 2012-06-22 21:47--------d-----w-c:\documents and settings\All Users\Application Data\ESET
    2012-06-22 21:41 . 2012-06-22 21:41--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\Sun
    2012-06-22 21:26 . 2012-06-22 21:25772592----a-w-c:\windows\system32\npDeployJava1.dll
    2012-06-22 21:26 . 2012-06-22 21:25687600----a-w-c:\windows\system32\deployJava1.dll
    2012-06-22 21:26 . 2012-06-22 21:25143872----a-w-c:\windows\system32\javacpl.cpl
    2012-06-22 21:16 . 2012-06-22 21:16--------d-----w-C:\regbak
    2012-06-22 19:28 . 2008-04-13 19:21162816-c--a-w-c:\windows\system32\dllcache\netbt.sys
    2012-06-22 19:28 . 2008-04-13 19:21162816----a-w-c:\windows\system32\drivers\netbt.sys
    2012-06-22 15:33 . 2012-06-22 15:33--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\PCHealth
    2012-06-22 15:13 . 2008-04-13 21:1121504-c--a-w-c:\windows\system32\dllcache\hidserv.dll
    2012-06-22 15:13 . 2008-04-13 21:1121504----a-w-c:\windows\system32\hidserv.dll
    2012-06-22 15:08 . 2012-06-22 15:08--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
    2012-06-18 16:19 . 2012-06-18 16:28--------d-----w-C:\pebuilder3110a
    2012-06-18 14:00 . 2012-06-18 14:14--------d-----w-c:\windows\system32\DBBK
    2012-06-13 01:08 . 2012-06-13 01:08--------d-----w-c:\documents and settings\All Users\Application Data\CPA_VA
    2012-06-13 01:07 . 2012-06-24 20:091474832----a-w-c:\windows\system32\drivers\sfi.dat
    2012-06-13 00:47 . 2012-06-24 20:04--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\COMODO
    2012-06-13 00:47 . 2012-06-13 00:471700352----a-w-c:\windows\system32\gdiplus.dll
    2012-06-12 23:53 . 2012-06-12 23:53--------d-----w-c:\documents and settings\Administrator\Application Data\U3
    2012-06-12 23:47 . 2012-06-12 23:47--------d-----w-c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-06-12 23:47 . 2012-06-12 23:47--------d-sh--w-c:\documents and settings\Administrator\IETldCache
    2012-06-12 04:01 . 2010-10-07 11:116609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
    2012-06-12 04:01 . 2010-02-24 23:39675840----a-w-c:\windows\system32\NETwLc32.dll
    2012-06-12 04:01 . 2010-02-24 23:372756608----a-w-c:\windows\system32\NETwLr32.dll
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\Michael\Application Data\Malwarebytes
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-12 02:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-12 02:02 . 2012-06-12 02:0245056----a-w-c:\windows\system32\UTSCSI.EXE
    2012-06-12 02:02 . 2012-06-13 00:01--------d-----w-c:\program files\Cisco Systems
    2012-06-12 02:02 . 2010-02-13 08:36816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
    2012-06-12 02:02 . 2012-06-12 02:02--------d-----w-c:\documents and settings\All Users\Application Data\Cisco Systems
    2012-06-12 01:43 . 2011-04-25 14:311174976----a-w-c:\windows\system32\drivers\rt2870.sys
    2012-06-12 01:43 . 2010-02-13 08:36226592---ha-w-c:\windows\system32\RaCoInst.dll
    2012-06-12 01:12 . 2012-06-12 01:40--------d-----w-c:\documents and settings\Michael\Application Data\Intel
    2012-06-12 01:10 . 2012-06-12 01:40--------d-----w-c:\documents and settings\All Users\Application Data\Intel
    2012-06-12 00:40 . 2012-06-22 15:14--------d-----w-c:\documents and settings\Michael\Application Data\U3
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-03-07 3117344]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
    backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1 [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
    2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
    2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
    2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
    2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
    2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
    2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec Core LC"=3 (0x3)
    "LogMeIn"=2 (0x2)
    "LMIMaint"=2 (0x2)
    "AVGEMS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 8:40 AM 120152]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 8:40 AM 104160]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/7/2012 3:40 PM 913144]
    R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [6/12/2012 12:01 AM 6609920]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/24/2006 1:28 PM 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/24/2006 1:28 PM 226304]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [6/11/2012 10:02 PM 816672]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [12/30/2007 12:15 PM 108928]
    S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [12/30/2007 12:15 PM 53248]
    S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/30/2007 12:15 PM 19328]
    S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB [?]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    proxyhostdriver
    epson_pm_rpcv4_01
    R300
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-COMODO - c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
    MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe
    MSConfigStartUp-CPA - c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
    MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-24 16:31
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(508)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\VESWinlogon.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2012-06-24 16:34:38
    ComboFix-quarantined-files.txt 2012-06-24 20:34
    ComboFix2.txt 2012-06-23 05:02
    ComboFix3.txt 2012-06-22 19:41
    .
    Pre-Run: 54,051,647,488 bytes free
    Post-Run: 54,112,763,904 bytes free
    .
    - - End Of File - - 23FE0D7285FAE26A969718FD406195A8
  19. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    1. You didn't follow my latest instructions:
    2. You didn't follow Combofix instructions which ask you to allow Recovery Console installation.

    When done with #1 re-run Combofix, allow RC installation and post new log.

    [​IMG]
  20. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    ComboFix 12-06-25.03 - Michael 06/25/2012 12:55:27.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.675 [GMT -4:00]
    Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Michael\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    /wow section - STAGE 48
    .
    /wow section - STAGE 50
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-24 20:06 . 2012-06-24 20:06--------d--h--w-c:\windows\system32\GroupPolicy
    2012-06-22 21:55 . 2012-06-22 21:55--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\ESET
    2012-06-22 21:41 . 2012-06-22 21:41--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\Sun
    2012-06-22 21:26 . 2012-06-22 21:25772592----a-w-c:\windows\system32\npDeployJava1.dll
    2012-06-22 21:26 . 2012-06-22 21:25687600----a-w-c:\windows\system32\deployJava1.dll
    2012-06-22 21:26 . 2012-06-22 21:25143872----a-w-c:\windows\system32\javacpl.cpl
    2012-06-22 21:16 . 2012-06-22 21:16--------d-----w-C:\regbak
    2012-06-22 19:28 . 2008-04-13 19:21162816-c--a-w-c:\windows\system32\dllcache\netbt.sys
    2012-06-22 19:28 . 2008-04-13 19:21162816----a-w-c:\windows\system32\drivers\netbt.sys
    2012-06-22 15:33 . 2012-06-22 15:33--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\PCHealth
    2012-06-22 15:13 . 2008-04-13 21:1121504-c--a-w-c:\windows\system32\dllcache\hidserv.dll
    2012-06-22 15:13 . 2008-04-13 21:1121504----a-w-c:\windows\system32\hidserv.dll
    2012-06-22 15:08 . 2012-06-22 15:08--------d-----w-c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
    2012-06-18 16:19 . 2012-06-18 16:28--------d-----w-C:\pebuilder3110a
    2012-06-18 14:00 . 2012-06-18 14:14--------d-----w-c:\windows\system32\DBBK
    2012-06-13 01:08 . 2012-06-13 01:08--------d-----w-c:\documents and settings\All Users\Application Data\CPA_VA
    2012-06-13 01:07 . 2012-06-24 20:091474832----a-w-c:\windows\system32\drivers\sfi.dat
    2012-06-13 00:47 . 2012-06-24 20:04--------d-----w-c:\documents and settings\Michael\Local Settings\Application Data\COMODO
    2012-06-13 00:47 . 2012-06-13 00:471700352----a-w-c:\windows\system32\gdiplus.dll
    2012-06-12 23:53 . 2012-06-12 23:53--------d-----w-c:\documents and settings\Administrator\Application Data\U3
    2012-06-12 23:47 . 2012-06-12 23:47--------d-----w-c:\documents and settings\Administrator\Application Data\Malwarebytes
    2012-06-12 23:47 . 2012-06-12 23:47--------d-sh--w-c:\documents and settings\Administrator\IETldCache
    2012-06-12 04:01 . 2010-10-07 11:116609920----a-w-c:\windows\system32\drivers\NETwLx32.sys
    2012-06-12 04:01 . 2010-02-24 23:39675840----a-w-c:\windows\system32\NETwLc32.dll
    2012-06-12 04:01 . 2010-02-24 23:372756608----a-w-c:\windows\system32\NETwLr32.dll
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\Michael\Application Data\Malwarebytes
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-12 02:16 . 2012-06-12 02:16--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-06-12 02:16 . 2012-04-04 19:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-12 02:02 . 2012-06-12 02:0245056----a-w-c:\windows\system32\UTSCSI.EXE
    2012-06-12 02:02 . 2012-06-13 00:01--------d-----w-c:\program files\Cisco Systems
    2012-06-12 02:02 . 2010-02-13 08:36816672---ha-w-c:\windows\system32\drivers\AM10XP.sys
    2012-06-12 02:02 . 2012-06-12 02:02--------d-----w-c:\documents and settings\All Users\Application Data\Cisco Systems
    2012-06-12 01:43 . 2011-04-25 14:311174976----a-w-c:\windows\system32\drivers\rt2870.sys
    2012-06-12 01:43 . 2010-02-13 08:36226592---ha-w-c:\windows\system32\RaCoInst.dll
    2012-06-12 01:12 . 2012-06-12 01:40--------d-----w-c:\documents and settings\Michael\Application Data\Intel
    2012-06-12 01:10 . 2012-06-12 01:40--------d-----w-c:\documents and settings\All Users\Application Data\Intel
    2012-06-12 00:40 . 2012-06-22 15:14--------d-----w-c:\documents and settings\Michael\Application Data\U3
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-11 21:54 . 2011-08-14 22:4397208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2007-11-16 02:4687352----a-w-c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 21:5173728----a-w-c:\windows\system32\VESWinlogon.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
    backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1 [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
    2004-11-18 03:47118784----a-w-c:\program files\Apoint\Apoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-02-21 01:2859240----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
    2002-09-11 04:26368706----a-w-c:\program files\BroadJump\Client Foundation\CFD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 20:5664512----a-w-c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class]
    2007-06-14 23:36925696----a-w-c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-04-05 18:2177824----a-w-c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-04-05 18:21118784----a-w-c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-04-05 18:2194208----a-w-c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
    2004-02-20 21:1232768----a-w-c:\program files\Sony\ISB Utility\ISBMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-03-06 23:05421736----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2005-08-24 14:51442455----a-w-c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
    2002-03-14 23:4645056----a-w-c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:121695232------w-c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-08 17:507561216----a-w-c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 21:38421888----a-w-c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
    2006-06-28 01:24217088----a-w-c:\program files\Sony\VAIO Power Management\SPMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-05-03 09:5636975----a-w-c:\program files\Java\jre1.5.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
    2003-04-20 04:0828672----a-w-c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 4]
    2008-07-30 18:19870240------w-c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]
    2005-12-27 21:5869632----a-w-c:\program files\Sony\VAIO Camera Utility\VCUServe.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05204288------w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec Core LC"=3 (0x3)
    "LogMeIn"=2 (0x2)
    "LMIMaint"=2 (0x2)
    "AVGEMS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [6/12/2012 12:01 AM 6609920]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [7/24/2006 1:28 PM 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [7/24/2006 1:28 PM 226304]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [6/11/2012 10:02 PM 816672]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 7:15 PM 136176]
    S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [12/30/2007 12:15 PM 108928]
    S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [12/30/2007 12:15 PM 53248]
    S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/30/2007 12:15 PM 19328]
    S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -I VAIO_VEDB [?]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    proxyhostdriver
    epson_pm_rpcv4_01
    R300
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
    FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\vu2pgkjw.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-25 13:02
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(476)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\VESWinlogon.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2012-06-25 13:05:05
    ComboFix-quarantined-files.txt 2012-06-25 17:05
    ComboFix2.txt 2012-06-24 20:34
    ComboFix3.txt 2012-06-23 05:02
    ComboFix4.txt 2012-06-22 19:41
    .
    Pre-Run: 54,432,665,600 bytes free
    Post-Run: 54,436,085,760 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 598E762EC01029419941779172D1F787
  21. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    Followed directions this time, see above log file.
  22. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /I " " /c
    dir /b "%systemroot%\*.exe" | find /I " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  23. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    upon boot I got a windows registry recovery error and pc crashed, after reboot no more registry error, but pc can still not connect to the internet. I am running OTL and will post results soon.
  24. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    When exactly did you lose internet connection?
  25. Reptar

    Reptar Newcomer, in training Topic Starter Posts: 44

    When I got the virus. Ive tried a few things to no avail. Tried internal and external wireless adapters, also tried a LAN cable and it didnt work, so that rules out hardware failure. I am able to connect to router via wifi, but no packets are transferred. Combofix always had an alert about a rootkit virus whenever I ran it. Im running OTL now and will report back.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.