[Closed] Help with sirefef/zero infection please

Purcy · Jul 10, 2012

HI Broni, had a hunt around the net and found the best way to fix the DLL problem was to do a system restore. I did this to the point after I ran the initial MalwareBytes and removed lavasoft. I then reran a number of the scans, including Rogue Killer, awsMBR and the first Combokill. I have attached the applicable logs below. I didn't run any of the further scans as I didn't know what caused the error described above and thought that you would know what to do. Best Regards.
RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date: 07/10/2012 17:37:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : c:\windows\installer\{12642637-4a68-522c-8d6f-45440014219d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{12642637-4a68-522c-8d6f-45440014219d}\L --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\user\local settings\application data\{12642637-4a68-522c-8d6f-45440014219d}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\user\local settings\application data\{12642637-4a68-522c-8d6f-45440014219d}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x8061ABE2 -> HOOKED (Unknown @ 0x8A33E740)
SSDT[43] : NtCreateMutant @ 0x8060E110 -> HOOKED (Unknown @ 0x8A3384C0)
SSDT[47] : NtCreateProcess @ 0x805C7576 -> HOOKED (Unknown @ 0x8A33D540)
SSDT[48] : NtCreateProcessEx @ 0x805C74C0 -> HOOKED (Unknown @ 0x8A33D840)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805B96D2 -> HOOKED (Unknown @ 0x8A338880)
SSDT[53] : NtCreateThread @ 0x805C735E -> HOOKED (Unknown @ 0x8A338020)
SSDT[63] : NtDeleteKey @ 0x8061B07E -> HOOKED (Unknown @ 0x8A33ED40)
SSDT[65] : NtDeleteValueKey @ 0x8061B24E -> HOOKED (Unknown @ 0x8A33F640)
SSDT[68] : NtDuplicateObject @ 0x805B398C -> HOOKED (Unknown @ 0x8A338A60)
SSDT[97] : NtLoadDriver @ 0x80579694 -> HOOKED (Unknown @ 0x8A3381C0)
SSDT[122] : NtOpenProcess @ 0x805C13E2 -> HOOKED (Unknown @ 0x8A33DB40)
SSDT[125] : NtOpenSection @ 0x8059F836 -> HOOKED (Unknown @ 0x8A33FC20)
SSDT[128] : NtOpenThread @ 0x805C166E -> HOOKED (Unknown @ 0x8A33DE40)
SSDT[192] : NtRenameKey @ 0x8061A604 -> HOOKED (Unknown @ 0x8A33F040)
SSDT[204] : NtRestoreKey @ 0x8061C5C2 -> HOOKED (Unknown @ 0x8A33F340)
SSDT[240] : NtSetSystemInformation @ 0x806067D6 -> HOOKED (Unknown @ 0x8A3386A0)
SSDT[247] : NtSetValueKey @ 0x80619154 -> HOOKED (Unknown @ 0x8A33EA40)
SSDT[257] : NtTerminateProcess @ 0x805C866A -> HOOKED (Unknown @ 0x8A33E140)
SSDT[258] : NtTerminateThread @ 0x805C8864 -> HOOKED (Unknown @ 0x8A33E440)
SSDT[277] : NtWriteVirtualMemory @ 0x805A994E -> HOOKED (Unknown @ 0x8A33FE00)
S_SSDT[548] : Unknown -> HOOKED (Unknown @ 0x894241C0)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0x89423FA0)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)
IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)
IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)
IRP[IRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9DEBB40)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST960812A +++++
--- User ---
[MBR] 715aa96ff48de19b69089826376ea736
[BSP] 240251e98ad17cb792d1e4f6717d05bb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 57224 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-10 17:38:46
-----------------------------
17:38:46.296 OS Version: Windows 5.1.2600 Service Pack 3
17:38:46.296 Number of processors: 1 586 0xD08
17:38:46.296 ComputerName: HPCOMPAQNX6120 UserName: User
17:38:48.171 Initialize success
17:41:27.671 AVAST engine defs: 12071000
17:41:39.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
17:41:39.234 Disk 0 Vendor: ST960812A 3.05 Size: 57231MB BusType: 3
17:41:39.265 Disk 0 MBR read successfully
17:41:39.265 Disk 0 MBR scan
17:41:39.328 Disk 0 Windows XP default MBR code
17:41:39.328 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57224 MB offset 63
17:41:39.359 Disk 0 scanning sectors +117195120
17:41:39.437 Disk 0 scanning C:\WINDOWS\system32\drivers
17:41:39.453 Service scanning
17:42:20.125 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
17:42:34.328 Modules scanning
17:42:34.593 Disk 0 trace - called modules:
17:42:34.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spij.sys >>UNKNOWN [0x8a7ee938]<<
17:42:34.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6cfab8]
17:42:34.968 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000092[0x8a78cf18]
17:42:34.968 5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a74ad98]
17:42:35.921 AVAST engine scan C:\WINDOWS
17:42:35.953 AVAST engine scan C:\WINDOWS\system32
17:42:36.031 AVAST engine scan C:\WINDOWS\system32\drivers
17:42:36.078 AVAST engine scan C:\Documents and Settings\User
17:42:36.125 AVAST engine scan C:\Documents and Settings\All Users
17:42:36.125 Scan finished successfully
17:42:48.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
17:42:48.812 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

ComboFix 12-07-10.01 - User 10/07/2012 17:56:05.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2039.1349 [GMT 9.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\Application Data\inst.exe
c:\documents and settings\User\Application Data\Toolbar4
c:\documents and settings\User\System
C:\install.exe
c:\program files\Solid YouTube Downloader and Converter FileBulldog Toolbar\tbHElper.dll
c:\windows\assembly\GAC\Desktop.ini
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\pssogina.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 07:05 . 2012-07-10 07:05 -------- d-----w- c:\windows\system32\wbem\Repository
2012-07-10 07:02 . 2012-07-10 07:02 -------- d-----w- c:\program files\Lavasoft
2012-07-10 06:59 . 2012-07-10 06:59 -------- d-sh--w- c:\documents and settings\User\Local Settings\Application Data\{12642637-4a68-522c-8d6f-45440014219d}
2012-07-10 03:47 . 2012-07-10 06:58 -------- d-----w- C:\RECYCLER(2)
2012-07-10 03:46 . 2012-07-10 03:46 -------- d-----w- C:\_OTL
2012-07-09 07:48 . 2012-07-09 11:47 22032 ----a-w- c:\windows\DCEBoot.exe
2012-07-09 06:47 . 2012-07-09 07:57 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-07 03:36 . 2012-07-07 03:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJSolutionMenu
2012-07-07 03:10 . 2012-07-07 03:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJMyPrinter
2012-07-07 02:33 . 2012-07-07 02:33 -------- d-----w- c:\documents and settings\User\Application Data\Canon Easy-WebPrint EX
2012-07-07 02:04 . 2012-07-07 02:04 -------- d-----w- c:\documents and settings\User\Application Data\ElevatedDiagnostics
2012-07-01 01:05 . 2012-07-01 01:05 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\etax2012
2012-07-01 01:03 . 2012-07-01 01:04 -------- d-----w- c:\program files\etax2012
2012-06-11 03:46 . 2012-06-11 03:46 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Aimersoft
2012-06-11 03:46 . 2012-06-11 03:46 -------- d-----w- c:\program files\Common Files\Aimersoft
2012-06-11 03:45 . 2011-08-31 05:09 892928 ----a-w- c:\windows\system32\iconv.dll
2012-06-11 03:45 . 2011-08-31 05:09 496640 ----a-w- c:\windows\system32\xvid.ax
2012-06-11 03:45 . 2011-08-31 05:09 675840 ----a-w- c:\windows\system32\ac3filter.ax
2012-06-11 03:45 . 2012-06-11 03:45 -------- d-----w- c:\program files\Aimersoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-09 07:39 . 2012-05-05 03:59 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-09 07:38 . 2011-06-12 23:57 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 05:49 . 2010-08-16 05:50 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49 . 2010-08-16 05:50 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49 . 2006-10-20 02:48 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49 . 2006-10-20 02:48 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:49 . 2006-10-20 02:48 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:49 . 2010-08-16 05:50 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49 . 2006-10-20 02:48 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:49 . 2006-10-20 01:17 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:49 . 2005-05-25 18:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:49 . 2002-08-29 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:49 . 2010-08-16 05:50 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:49 . 2006-10-20 02:48 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:49 . 2006-10-20 01:17 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:48 . 2010-10-15 16:22 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:48 . 2010-10-15 16:22 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 05:48 . 2009-08-06 09:53 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-29 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 23:58 . 2012-02-26 09:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-05-04 13:12 . 2002-08-29 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2002-08-29 01:04 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-10-20 01:17 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46 . 2006-10-20 02:48 78336 ------w- c:\windows\system32\ieencode.dll
2012-04-23 14:46 . 2002-08-29 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-04-23 14:46 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2012-06-17 21:51 . 2012-02-13 23:19 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\Optus Mini WiFi\Optus Mini WiFi Modem" [X]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-10 189056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-13 1388544]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-04-08 73728]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-25 77824]
"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-25 114688]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-26 122941]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-03-09 184320]
"Protect Tray"="c:\program files\Pointsec\P95tray.exe" [2003-10-21 221184]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-09-08 272384]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-10 189056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-01-03 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]
"Aimersoft Helper Compact.exe"="c:\program files\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe" [2012-02-20 1666560]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-03 767312]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-20 184320]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-10-20 118784]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 BMLoad;Bytemobile Boot Time Load Driver;c:\windows\system32\drivers\BMLoad.sys [11/03/2010 9:36 AM 13184]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/02/2012 1:31 PM 64512]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\Prot_2k.sys [21/10/2003 5:28 PM 240640]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/01/2011 10:02 AM 691696]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/09/2011 7:53 AM 188272]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\x86\novacomd.exe [24/06/2011 9:16 PM 61440]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [21/10/2003 6:50 PM 159744]
R2 Pointsec_agent;Pointsec update agent;c:\windows\system32\pagents.exe [21/10/2003 6:46 PM 475136]
R2 Pointsec_start;Pointsec service start;c:\windows\system32\pstartSr.exe [21/10/2003 11:52 PM 118784]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/09/2011 7:57 AM 64080]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [8/09/2010 4:44 PM 8704]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/05/2004 2:56 AM 80384]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [14/03/2012 4:56 PM 70656]
R3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\drivers\vodafone_K3805-z_dc_enum.sys [1/09/2010 2:33 PM 80000]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/10/2010 4:55 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/12/2011 7:12 AM 2152720]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/05/2012 1:29 PM 257224]
S3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys --> c:\windows\system32\Drivers\androidusb.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS --> c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [?]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [14/03/2012 4:56 PM 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [14/03/2012 4:56 PM 117504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/10/2010 4:55 PM 136176]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [31/01/2012 5:56 PM 9728]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [1/05/2012 9:02 AM 113120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/09/2010 2:36 PM 47360]
S3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\DRIVERS\zghsdiag.sys --> c:\windows\system32\DRIVERS\zghsdiag.sys [?]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\DRIVERS\zghsmdm.sys --> c:\windows\system32\DRIVERS\zghsmdm.sys [?]
S3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\DRIVERS\zghsnmea.sys --> c:\windows\system32\DRIVERS\zghsnmea.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [31/01/2012 5:56 PM 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [31/01/2012 5:56 PM 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [31/01/2012 5:56 PM 106752]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 07:39]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:25]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 07:25]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1065298038-1211835747-859195851-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 12:05]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1065298038-1211835747-859195851-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 12:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigseekpro.com/solidyoutube/{9E71C719-ACB0-40D6-886B-83597D4DC49C}
mStart Page = hxxp://www.bigseekpro.com/solidyoutube/{9E71C719-ACB0-40D6-886B-83597D4DC49C}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.231.203.132 192.231.203.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\gm8gg5xx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.news.com.au
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-10 18:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?3?5?7??????? ???B???????????????B? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1065298038-1211835747-859195851-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1065298038-1211835747-859195851-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2A25DBDB-4B7E-B782-3B67-49663DD8A6D4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhiokhbnhdobpjbmmgaknhfkalmdkenba"=hex:61,62,6e,67,63,6e,6f,6f,6a,68,6f,64,
66,6d,61,63,62,65,65,69,6f,6f,62,66,6f,6d,63,6b,66,63,6a,6d,66,62,00,77
"bbhiokhbnhdobpjbmmfafndhlmncdppjdcha"=hex:61,62,61,68,6d,6d,67,6f,69,61,64,69,
6a,6e,66,6b,62,67,6d,6d,66,6c,64,61,62,70,62,6f,6e,63,6c,6b,6d,6a,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\PssoCM32.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(1440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\AGRSMMSG.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2012-07-10 18:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-10 09:02
ComboFix2.txt 2012-07-10 02:33
ComboFix3.txt 2012-07-10 01:09
.
Pre-Run: 13,948,866,560 bytes free
Post-Run: 13,992,017,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
- - End Of File - - 555F77F2F850352EB10DF6D375CB9D6B

Broni · Jul 10, 2012

had a hunt around the net and found the best way to fix the DLL problem was to do a system restore

I clearly stated at the very beginning of this topic:

Please refrain from running tools or applying updates other than those I suggest.

You decided to find your own ways so...you're on your own.
This topic is closed.

TechSpot

Welcome to TechSpot

[Closed] Help with sirefef/zero infection please

Purcy Newcomer, in training Posts: 16

Broni Malware Annihilator Posts: 40,051 +187

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.