TechSpot

Infected by Sirefef.R and Sirefef.AH

By Les_H
Aug 11, 2012
  1. Hello, MBAM and MSE identify that my PC (Vista 32) is infected by the above which, of course, they can't remove.
    I've read a couple of the other posts on this topic and would be grateful if you could take me through the cleaning process.
    First of all, here is my Farbar FRST file:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012 02
    Ran by SYSTEM at 11-08-2012 09:17:41
    Running from K:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
    HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [446976 2006-11-11] (Gteko Ltd.)
    HKU\Les_New\...\Policies\system: [LogonHoursAction] 2
    HKU\Les_New\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
    ================================ Services (Whitelisted) ==================
    3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2006-11-07] ()
    2 EPSON_PM_RPCV4_05; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [130944 2012-02-02] (SEIKO EPSON CORPORATION)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    3 ExpressAccountsService; "C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe" -service [2960900 2012-03-11] (NCH Software)
    3 ExpressInvoiceService; "C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe" -service [1987588 2012-03-11] (NCH Software)
    2 gupdate1c90d02e9defad0; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2008-09-02] (Google Inc.)
    2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [99936 2006-11-09] ()
    2 M4-Service; C:\Users\Les_New\AppData\Roaming\Mikogo 4\M4-Service.exe [1008032 2012-06-08] ()
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 RapportMgmtService; "C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe" [931640 2011-11-01] (Trusteer Ltd.)
    3 ServiceLayer; "C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe" [632832 2011-03-21] (Nokia)
    2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3048136 2012-07-05] (Skype Technologies S.A.)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-07] (Skype Technologies)
    3 Sony PC Companion; "C:\Program Files\Sony\Sony PC Companion\PCCService.exe" [155320 2012-01-18] (Avanquest Software)
    2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-05-06] (SigmaTel, Inc.)
    2 TeamViewer4; "C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe" -service [185640 2010-09-03] (TeamViewer GmbH)
    2 Apache2.2; "c:\xampp\apache\bin\httpd.exe" -k runservice [x]
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    2 mysql; c:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql [x]
    4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
    4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [x]
    ========================== Drivers (Whitelisted) =============
    3 BTUsbrXP(R); C:\Windows\System32\DRIVERS\btusbrxp.sys [93056 2003-01-21] (Askey Computer)
    2 dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-17] (Gteko Ltd.)
    3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
    3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
    3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-05-15] (HP)
    3 libusb0; C:\Windows\System32\drivers\libusb0.sys [21504 2011-10-07] (http://libusb-win32.sourceforge.net)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
    3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-08] (Malwarebytes Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    1 MpKsl14fb1d82; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8C72B1DA-0210-4465-B2AA-11C810408612}\MpKsl14fb1d82.sys [29904 2012-08-08] (Microsoft Corporation)
    1 MpKsl8f54c53c; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8C72B1DA-0210-4465-B2AA-11C810408612}\MpKsl8f54c53c.sys [29904 2012-08-08] ()
    1 RapportCerberus_32301; \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_32301.sys [227312 2011-11-01] ()
    1 RapportEI; \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [71440 2011-11-01] (Trusteer Ltd.)
    3 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [64272 2011-11-01] (Trusteer Ltd.)
    1 RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [164112 2011-11-01] (Trusteer Ltd.)
    3 s125bus; C:\Windows\System32\DRIVERS\s125bus.sys [83336 2007-04-24] (MCCI Corporation)
    3 s125mdfl; C:\Windows\System32\DRIVERS\s125mdfl.sys [15112 2007-04-24] (MCCI Corporation)
    3 s125mdm; C:\Windows\System32\DRIVERS\s125mdm.sys [108680 2007-04-24] (MCCI Corporation)
    3 s125mgmt; C:\Windows\System32\DRIVERS\s125mgmt.sys [100488 2007-04-24] (MCCI Corporation)
    3 s125obex; C:\Windows\System32\DRIVERS\s125obex.sys [98696 2007-04-24] (MCCI Corporation)
    3 Serial; C:\Windows\system32\drivers\serial.sys [63936 1998-01-05] (Brother Industries Ltd.)
    3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-05-06] (SigmaTel, Inc.)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
    3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
    3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
    3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 upperdev; C:\Windows\System32\DRIVERS\usbser_lowerflt.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-11 09:17 - 2012-08-11 09:17 - 00000000 ____D C:\FRST
    2012-08-08 11:56 - 2012-08-08 14:02 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-08 11:14 - 2012-08-08 11:14 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-08 11:09 - 2012-08-08 11:11 - 10288512 ____A (Microsoft Corporation) C:\Users\Les_New\Downloads\mseinstall.exe
    2012-08-08 10:36 - 2012-08-08 10:38 - 00000000 ____D C:\Users\All Users\036E1912194FD0EDD9995CEE2F3B707C
    2012-08-08 10:36 - 2012-08-08 10:36 - 00433664 ____A (Electronic Arts Inc.) C:\Users\Les_New\AppData\Roaming\ldxet.dll
    2012-08-08 10:36 - 2012-08-08 10:36 - 00000000 ____D C:\Users\Les_New\AppData\Local\{F4A7B302-E187-11E1-8270-B8AC6F996F26}
    2012-08-08 10:35 - 2012-08-08 10:35 - 00000000 ____D C:\Users\Les_New\AppData\Roaming\Ovis
    2012-08-07 09:03 - 2012-08-08 11:00 - 00002660 ____A C:\Windows\PFRO.log
    2012-08-04 06:04 - 2012-08-04 06:04 - 00000000 ____D C:\Users\Les_New\AppData\Local\{9FC1C706-C763-49FE-B8A7-22D2B1B54B62}
    2012-08-03 18:04 - 2012-08-03 18:04 - 00000000 ____D C:\Users\Les_New\AppData\Local\{29BCABF9-0B12-4570-AD9D-2F0F2965AA3E}
    2012-08-03 18:03 - 2012-08-04 06:04 - 00000000 ____D C:\Users\Les_New\AppData\Local\{A6FA50C1-AF01-4A5C-9182-F20F58491991}
    2012-08-03 06:03 - 2012-08-03 06:03 - 00000000 ____D C:\Users\Les_New\AppData\Local\{742FFC1C-46E5-41CC-95E3-542AC8F28867}
    2012-08-03 06:03 - 2012-08-03 06:03 - 00000000 ____D C:\Users\Les_New\AppData\Local\{09D3C44B-1A8E-4473-A368-DD1527AC14B0}
    2012-08-03 05:38 - 2012-03-08 09:32 - 00039272 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fssfltr.sys
    2012-08-03 03:13 - 2012-08-03 03:13 - 00000000 ____D C:\Users\Les_New\AppData\Local\{22592C27-CBD1-42CC-928B-0D45EEE3818A}
    2012-08-02 15:18 - 2012-08-02 15:18 - 00000000 ____D C:\Users\Les_New\AppData\Local\{C8CA92F8-0DAD-44F8-9E07-4DDDC71D4D46}
    2012-08-02 12:04 - 2012-08-02 12:04 - 32600440 ____A C:\Users\Les_New\Downloads\GraboidVideoSetup-3.26 (1).exe
    2012-08-02 12:03 - 2012-08-02 12:04 - 32600440 ____A C:\Users\Les_New\Downloads\GraboidVideoSetup-3.26.exe
    2012-08-01 11:07 - 2012-08-01 11:07 - 00000000 ____D C:\Users\Les_New\AppData\Local\{8F50EFF1-658F-4BBE-A26A-F318092F8434}
    2012-08-01 09:32 - 2012-08-04 06:04 - 00000000 ____D C:\Users\Les_New\AppData\Local\Windows Live
    2012-08-01 09:31 - 2012-08-01 09:32 - 00000000 ____D C:\Users\Les_New\AppData\Local\{30D5056D-FBA0-4AB2-9E68-7C5058D602CD}
    2012-08-01 09:31 - 2012-08-01 09:31 - 00000000 ____D C:\Users\Les_New\AppData\Local\{C2DB3021-0D2D-4AE9-AA23-51BFBDD9F232}
    2012-07-27 07:27 - 2012-07-27 07:27 - 00000000 ____D C:\Users\Les_New\AppData\Roaming\Nokia
    2012-07-27 07:24 - 2012-07-27 07:24 - 00001880 ____A C:\Users\Public\Desktop\Nokia Music Player.lnk
    2012-07-27 07:21 - 2008-08-26 01:26 - 00018816 ____A (Nokia) C:\Windows\System32\Drivers\pccsmcfd.sys
    2012-07-20 11:09 - 2012-07-20 11:09 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-12 23:53 - 2012-07-12 23:53 - 00001026 ____A C:\Users\Les_New\Desktop\Update Service.lnk
    2012-07-12 23:51 - 2012-07-12 23:51 - 00000000 ____D C:\Program Files\Sony Mobile
    2012-07-12 23:45 - 2012-07-12 23:46 - 42259496 ____A C:\Users\Les_New\Downloads\Update_Service_Setup-2.12.8.23.exe
    2012-07-12 07:23 - 2012-07-12 07:23 - 00001881 ____A C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
    2012-07-12 07:23 - 2012-07-12 07:23 - 00000000 ____D C:\Users\All Users\Sony
    2012-07-12 07:23 - 2012-07-12 07:23 - 00000000 ____D C:\Program Files\Sony
    2012-07-12 05:12 - 2012-07-12 05:12 - 27261120 ____A (Sony Mobile Communications ) C:\Users\Les_New\Downloads\Sony PC Companion_2.10.079_Web.exe
    ============ 3 Months Modified Files ========================
    2012-08-08 14:27 - 2011-10-18 07:06 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2012-08-08 14:27 - 2006-11-02 05:01 - 00032602 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-08 14:27 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-08 14:26 - 2009-06-30 23:22 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-08 14:26 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-08 14:26 - 2006-11-02 04:47 - 00003696 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-08 14:24 - 2009-09-29 07:56 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-08 14:03 - 2012-02-25 23:30 - 00001356 ____A C:\Users\Les_New\AppData\Local\d3d9caps.dat
    2012-08-08 14:02 - 2012-08-08 11:56 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-08 11:55 - 2008-03-09 02:35 - 00000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{4410D2A5-866D-4E21-BE58-E2C137396A8C}.job
    2012-08-08 11:55 - 2007-11-07 09:02 - 00000416 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{ED38B297-A111-4C4A-9A18-3554545F5267}.job
    2012-08-08 11:49 - 2011-10-18 07:06 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
    2012-08-08 11:33 - 2009-06-30 23:22 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-08 11:15 - 2012-03-30 09:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-08 11:15 - 2011-10-05 00:32 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-08 11:15 - 2011-10-03 09:24 - 01537968 ____A C:\Windows\WindowsUpdate.log
    2012-08-08 11:14 - 2006-11-02 02:33 - 00802910 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-08 11:11 - 2012-08-08 11:09 - 10288512 ____A (Microsoft Corporation) C:\Users\Les_New\Downloads\mseinstall.exe
    2012-08-08 11:04 - 2011-07-11 13:54 - 00000930 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2155982950-3057843811-3124903850-1000UA.job
    2012-08-08 11:00 - 2012-08-07 09:03 - 00002660 ____A C:\Windows\PFRO.log
    2012-08-08 10:36 - 2012-08-08 10:36 - 00433664 ____A (Electronic Arts Inc.) C:\Users\Les_New\AppData\Roaming\ldxet.dll
    2012-08-08 09:54 - 2009-06-30 09:32 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155982950-3057843811-3124903850-1000UA.job
    2012-08-07 20:04 - 2011-07-11 13:54 - 00000908 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2155982950-3057843811-3124903850-1000Core.job
    2012-08-07 14:54 - 2009-06-30 09:32 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2155982950-3057843811-3124903850-1000Core.job
    2012-08-05 12:44 - 2009-02-21 03:13 - 00057624 ____A C:\img2-001.raw
    2012-08-03 03:21 - 2011-11-09 09:23 - 00077824 ____A C:\Users\Les_New\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-08-02 12:04 - 2012-08-02 12:04 - 32600440 ____A C:\Users\Les_New\Downloads\GraboidVideoSetup-3.26 (1).exe
    2012-08-02 12:04 - 2012-08-02 12:03 - 32600440 ____A C:\Users\Les_New\Downloads\GraboidVideoSetup-3.26.exe
    2012-08-01 23:37 - 2011-11-05 03:43 - 00001973 ____A C:\Users\Public\Desktop\Google Chrome.lnk
    2012-07-28 13:15 - 2012-03-30 09:15 - 09821896 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-07-28 13:15 - 2012-03-30 09:12 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-28 13:15 - 2011-10-25 10:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-27 07:24 - 2012-07-27 07:24 - 00001880 ____A C:\Users\Public\Desktop\Nokia Music Player.lnk
    2012-07-20 12:38 - 2011-09-16 07:07 - 00000812 ____A C:\Users\Public\Desktop\Kobo.lnk
    2012-07-20 11:09 - 2012-07-20 11:09 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-20 06:10 - 2012-07-06 04:49 - 00060304 ____A C:\Users\Les_New\g2mdlhlpx.exe
    2012-07-12 23:53 - 2012-07-12 23:53 - 00001026 ____A C:\Users\Les_New\Desktop\Update Service.lnk
    2012-07-12 23:46 - 2012-07-12 23:45 - 42259496 ____A C:\Users\Les_New\Downloads\Update_Service_Setup-2.12.8.23.exe
    2012-07-12 07:23 - 2012-07-12 07:23 - 00001881 ____A C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
    2012-07-12 05:12 - 2012-07-12 05:12 - 27261120 ____A (Sony Mobile Communications ) C:\Users\Les_New\Downloads\Sony PC Companion_2.10.079_Web.exe
    2012-07-11 18:35 - 2006-11-02 04:47 - 00570280 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 18:03 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-11 11:13 - 2012-07-11 11:13 - 00002487 ____A C:\Users\Les_New\Desktop\Apple Safari.lnk
    2012-07-11 11:13 - 2012-07-11 11:13 - 00002463 ____A C:\Users\Public\Desktop\Safari.lnk
    2012-07-06 05:02 - 2012-07-06 05:02 - 00002282 ____A C:\Users\Les_New\Desktop\GoToMeeting Quick Connect.lnk
    2012-07-06 02:07 - 2011-11-07 02:52 - 00002583 ____A C:\Users\Les_New\Desktop\Microsoft Excel.lnk
    2012-07-03 04:46 - 2011-10-04 05:39 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-25 06:13 - 2012-06-25 06:13 - 00000901 ____A C:\Users\Les_New\Desktop\Mikogo 4.lnk
    2012-06-21 01:00 - 2012-06-21 01:00 - 00000957 ____A C:\Users\Public\Desktop\TeamViewer 4.lnk
    2012-06-21 00:57 - 2012-06-21 00:57 - 02261392 ____A C:\Users\Les_New\Downloads\TeamViewer_Setup.exe
    2012-06-13 05:40 - 2012-07-11 18:15 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 09:47 - 2012-07-10 22:48 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-10 22:48 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-10 22:48 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 04:00 - 2011-11-05 06:37 - 00005292 ____A C:\Users\Les_New\Downloads\pspbrwse.jbf
    2012-06-04 07:42 - 2012-06-04 07:42 - 00000907 ____A C:\Users\Les_New\AppData\Local\recently-used.xbel
    2012-06-04 07:26 - 2012-07-10 22:48 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-21 02:32 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 02:32 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 02:32 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 02:31 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 02:31 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 02:32 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 02:31 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:54 - 2012-06-02 11:54 - 00000847 ____A C:\Users\Public\Desktop\RealPlayer.lnk
    2012-06-02 11:53 - 2012-03-23 00:05 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\System32\rmoc3260.dll
    2012-06-02 11:53 - 2012-03-23 00:04 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5016.dll
    2012-06-02 11:53 - 2012-03-23 00:04 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\System32\pndx5032.dll
    2012-06-02 11:53 - 2003-03-18 11:14 - 00499712 ____A (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
    2012-06-02 11:53 - 2003-02-20 19:42 - 00348160 ____A (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
    2012-06-02 06:19 - 2012-06-21 02:31 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:12 - 2012-06-21 02:31 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-11 18:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 18:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 18:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 18:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 18:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 18:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-11 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-11 18:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 18:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 18:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 18:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-11 18:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 18:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 18:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-10 22:48 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-10 22:48 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-27 00:55 - 2012-05-27 00:55 - 00000590 ____A C:\Users\Les_New\Desktop\lesharg1 - Shortcut.lnk
    2012-05-26 00:37 - 2012-05-26 00:37 - 00000384 ____A C:\Users\Les_New\Desktop\xampp.lnk
    2012-05-25 01:04 - 2012-05-25 01:04 - 00000560 ____A C:\Users\Les_New\Desktop\XAMPP Control Panel.lnk
    2012-05-18 12:47 - 2012-05-18 12:47 - 00367360 ____A (Microsoft Corporation) C:\Windows\System32\vfprintpthelper.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00351248 ____A (Microsoft Corporation) C:\Windows\System32\vfbasics.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00306560 ____A (Microsoft Corporation) C:\Windows\System32\vfprint.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00242736 ____A (Microsoft Corporation) C:\Windows\System32\vfluapriv.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00173504 ____A (Microsoft Corporation) C:\Windows\System32\appverif.exe
    2012-05-18 12:47 - 2012-05-18 12:47 - 00164168 ____A (Microsoft Corporation) C:\Windows\System32\vrfcore.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00087312 ____A (Microsoft Corporation) C:\Windows\System32\vfcompat.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00081560 ____A (Microsoft Corporation) C:\Windows\System32\vfnet.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00061352 ____A (Microsoft Corporation) C:\Windows\System32\vfnws.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00052016 ____A (Microsoft Corporation) C:\Windows\System32\vfcuzz.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00040120 ____A (Microsoft Corporation) C:\Windows\System32\vfntlmless.dll
    2012-05-18 12:47 - 2012-05-18 12:47 - 00021432 ____A (Microsoft Corporation) C:\Windows\System32\cuzzapi.dll
    ZeroAccess:
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\@
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\L
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\n
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\U
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\U\00000001.@
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3}\U\800000cb.@
    ZeroAccess:
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3}
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3}\@
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3}\L
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3}\n
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 10%
    Total physical RAM: 3005.88 MB
    Available physical RAM: 2677.97 MB
    Total Pagefile: 2908.54 MB
    Available Pagefile: 2769.74 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.72 MB
    ======================= Partitions =========================
    2 Drive c: (OS) (Fixed) (Total:138.97 GB) (Free:23.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    10 Drive k: (TESSA'S USB) (Removable) (Total:0.96 GB) (Free:0.95 GB) FAT
    11 Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:6.37 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 1710 KB
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 No Media 0 B 0 B
    Disk 7 Online 980 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 32 KB
    Partition 2 Primary 10 GB 40 MB
    Partition 3 Primary 139 GB 10 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 10 FAT Partition 39 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 X RECOVERY NTFS Partition 10 GB Healthy Boot
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 C OS NTFS Partition 139 GB Healthy
    ==================================================================================
    Partitions of Disk 7:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 979 MB 16 KB
    ==================================================================================
    Disk: 7
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 K TESSA'S USB FAT Removable 979 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-08-08 11:10
    ======================= End Of Log ==========================

    Now the Search file:

    Farbar Recovery Scan Tool Version: 08-08-2012 02
    Ran by SYSTEM at 2012-08-11 09:19:22
    Running from K:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-29 07:56] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-09-24 02:28] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
    C:\Windows\System32\services.exe
    [2009-09-29 07:56] - [2012-08-08 14:24] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843
    === End Of Search ===

    Many thanks in advance for your help.
    Les
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  3. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Hello. Many thanks for the quick response. It restarted normally and seems stable (after several minutes).
    Les

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012 02
    Ran by SYSTEM at 2012-08-11 17:35:21 Run:1
    Running from K:\
    ==============================================
    C:\Windows\Installer\{c6c20914-49ac-17aa-db84-306d9719f7f3} moved successfully.
    C:\Users\Les_New\AppData\Local\{c6c20914-49ac-17aa-db84-306d9719f7f3} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
     
  4. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Update. MSE detected a Sirefef attack again, and cleaned it.
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay. We're not done yet.

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  6. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Very good: all went well. Here's the log.
    Les

    ComboFix 12-08-10.02 - Les_New 12/08/2012 11:36:27.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3006.1576 [GMT 1:00]
    Running from: c:\users\Les_New\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\05232b1yfv35y2g4lrvt74x8e643ft
    c:\users\Les_New\AppData\Roaming\ldxet.dll
    c:\users\Les_New\g2mdlhlpx.exe
    c:\windows\system32\~GLH002e.TMP
    c:\windows\system32\muzapp.exe
    c:\windows\system32\regobj.dll
    c:\windows\system32\spool\prtprocs\w32x86\brpproc.dll
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    C:\winntse.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-12 to 2012-08-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-12 10:50 . 2012-08-12 10:50 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C72B1DA-0210-4465-B2AA-11C810408612}\offreg.dll
    2012-08-12 10:49 . 2012-08-12 10:51 -------- d-----w- c:\users\Les_New\AppData\Local\temp
    2012-08-12 10:49 . 2012-08-12 10:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-11 17:17 . 2012-08-11 17:17 -------- d-----w- C:\FRST
    2012-08-08 19:29 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-08 19:29 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3C85FE2-8E03-4657-B7C2-4EBB101C4616}\gapaengine.dll
    2012-08-08 19:28 . 2012-07-16 01:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C72B1DA-0210-4465-B2AA-11C810408612}\mpengine.dll
    2012-08-08 19:14 . 2012-08-08 19:14 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-08 18:36 . 2012-08-08 18:38 -------- d-----w- c:\programdata\036E1912194FD0EDD9995CEE2F3B707C
    2012-08-08 18:36 . 2012-08-08 18:36 -------- d-----w- c:\users\Les_New\AppData\Local\{F4A7B302-E187-11E1-8270-B8AC6F996F26}
    2012-08-08 18:35 . 2012-08-08 18:35 -------- d-----w- c:\users\Les_New\AppData\Roaming\Ovis
    2012-08-03 13:39 . 2012-08-03 13:39 -------- d-----w- c:\windows\en
    2012-08-03 13:38 . 2012-03-08 17:32 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
    2012-08-03 13:32 . 2012-08-03 13:32 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-03 13:25 . 2012-08-03 13:25 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\DSETUP.dll
    2012-08-03 13:25 . 2012-08-03 13:25 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\DXSETUP.exe
    2012-08-03 13:25 . 2012-08-03 13:25 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\dsetup32.dll
    2012-08-01 17:32 . 2012-08-04 14:04 -------- d-----w- c:\users\Les_New\AppData\Local\Windows Live
    2012-07-27 15:27 . 2012-07-27 15:27 -------- d-----w- c:\users\Les_New\AppData\Roaming\Nokia
    2012-07-27 15:21 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-28 21:15 . 2012-03-30 17:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-28 21:15 . 2011-10-25 18:31 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-28 21:15 . 2012-03-30 17:15 9821896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2012-07-03 12:46 . 2011-10-04 13:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:40 . 2012-07-12 02:15 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-11 04:14 . 2012-06-11 04:14 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-06-05 16:47 . 2012-07-11 06:48 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-11 06:48 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26 . 2012-07-11 06:48 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 10:32 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 10:32 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 10:31 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 10:31 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 10:32 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 10:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 10:31 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:53 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-06-02 19:53 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-06-02 14:19 . 2012-06-21 10:31 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12 . 2012-06-21 10:31 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33 . 2012-07-12 02:01 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25 . 2012-07-12 02:01 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25 . 2012-07-12 02:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-12 02:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-12 02:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 00:04 . 2012-07-11 06:48 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03 . 2012-07-11 06:48 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-05-18 20:47 . 2012-05-18 20:47 164168 ----a-w- c:\windows\system32\vrfcore.dll
    2012-05-18 20:47 . 2012-05-18 20:47 87312 ----a-w- c:\windows\system32\vfcompat.dll
    2012-05-18 20:47 . 2012-05-18 20:47 81560 ----a-w- c:\windows\system32\vfnet.dll
    2012-05-18 20:47 . 2012-05-18 20:47 61352 ----a-w- c:\windows\system32\vfnws.dll
    2012-05-18 20:47 . 2012-05-18 20:47 52016 ----a-w- c:\windows\system32\vfcuzz.dll
    2012-05-18 20:47 . 2012-05-18 20:47 367360 ----a-w- c:\windows\system32\vfprintpthelper.dll
    2012-05-18 20:47 . 2012-05-18 20:47 351248 ----a-w- c:\windows\system32\vfbasics.dll
    2012-05-18 20:47 . 2012-05-18 20:47 306560 ----a-w- c:\windows\system32\vfprint.dll
    2012-05-18 20:47 . 2012-05-18 20:47 21432 ----a-w- c:\windows\system32\cuzzapi.dll
    2012-05-18 20:47 . 2012-05-18 20:47 173504 ----a-w- c:\windows\system32\appverif.exe
    2012-05-18 20:47 . 2012-05-18 20:47 40120 ----a-w- c:\windows\system32\vfntlmless.dll
    2012-05-18 20:47 . 2012-05-18 20:47 242736 ----a-w- c:\windows\system32\vfluapriv.dll
    2012-08-06 12:08 . 2011-10-05 14:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MIDI2"=vpnt.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Leslie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
    path=c:\users\Leslie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
    backupExtension=.Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPLTarget
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 11:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-05-30 19:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brother MFL Pro Remote Setup]
    1999-12-02 16:24 194048 ----a-w- c:\windows\twain_32\BRMFLPRO\BRMFRMS.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
    2011-05-26 15:04 1590144 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2006-11-12 01:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
    2006-11-17 21:13 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
    2010-10-12 13:56 979328 ----a-w- c:\program files\EPSON Software\Event Manager\EEventManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPLTarget\P0000000000000000]
    2012-02-02 23:04 219008 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_TATIH3E.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
    2012-03-08 17:32 884584 ----a-w- c:\program files\Windows Live\Family Safety\fsui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXRCV]
    2011-03-09 00:00 495616 ----a-w- c:\program files\EPSON Software\FAX Utility\FUFAXRCV.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
    2011-03-09 00:00 856064 ----a-w- c:\program files\EPSON Software\FAX Utility\FUFAXSTM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-02-16 16:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 00:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2010-05-20 14:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-07-03 12:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
    2012-06-08 12:43 5380000 ----a-w- c:\users\Les_New\AppData\Roaming\Mikogo 4\mikogo-host.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
    2011-10-21 12:19 2193000 ----a-w- c:\program files\Nokia\Nokia Music Player\NokiaMusicPlayer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
    2010-02-24 20:17 385928 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-12-08 04:25 7766016 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-12-08 04:25 81920 ----a-w- c:\windows\System32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
    2006-12-08 04:25 90191 ----a-w- c:\windows\System32\nvsvc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-04-18 19:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2007-05-06 17:10 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
    2012-07-29 12:43 7601880 ----a-w- c:\users\Les_New\AppData\Roaming\Spotify\spotify.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
    2012-07-29 12:43 1193176 ----a-w- c:\users\Les_New\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2012-06-02 19:53 296056 ----a-w- c:\program files\real\RealPlayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
    2010-05-20 14:27 762736 ----a-w- c:\windows\vVX3000.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
    2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2011-10-05 13:20 114176 ----a-w- c:\windows\System32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:42]
    .
    2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 13:50]
    .
    2012-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 13:50]
    .
    2012-08-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:31]
    .
    2012-08-12 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:31]
    .
    2012-08-12 c:\windows\Tasks\User_Feed_Synchronization-{4410D2A5-866D-4E21-BE58-E2C137396A8C}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    2011-10-05 c:\windows\Tasks\User_Feed_Synchronization-{4B7857AA-85CC-4203-95CC-FA2AF1F610B7}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    2012-08-12 c:\windows\Tasks\User_Feed_Synchronization-{ED38B297-A111-4C4A-9A18-3554545F5267}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/news/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
    DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
    FF - ProfilePath - c:\users\Les_New\AppData\Roaming\Mozilla\Firefox\Profiles\7a39l92k.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    Toolbar-Locked - (no file)
    ShellExecuteHooks-{88485281-8b4b-4f8d-9ede-82e29a064277} - (no file)
    MSConfigStartUp-AD7B71BCB3BAED03 - c:\testovy.bin\testovy.Bin.exe
    MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    MSConfigStartUp-Btovo - c:\users\Leslie\AppData\Local\avopubitukix.dll
    MSConfigStartUp-DATAMNGR - c:\progra~1\WI371A~1\Datamngr\DATAMN~1.EXE
    MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
    MSConfigStartUp-Google Update - c:\users\Leslie\AppData\Local\Google\Update\GoogleUpdate.exe
    MSConfigStartUp-ldxet - c:\users\Les_New\AppData\Roaming\ldxet.dll
    MSConfigStartUp-netiinst - c:\users\Les_New\AppData\Local\Temp\credepad.dll
    MSConfigStartUp-Ulevusumocareza - c:\users\Leslie\AppData\Local\uic7095.dll
    MSConfigStartUp-{0854E3FA-760B-380E-CD61-184A21B4A2DA} - c:\users\Leslie\AppData\Roaming\Ixgaro\oneff.exe
    AddRemove-Cakewalk Express 8 - c:\program files\Cakewalk\Cakewalk Express\Uninst.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-12 11:51
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Google\Update\1.3.21.115\GoogleCrashHandler.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\users\Les_New\AppData\Roaming\Mikogo 4\M4-Service.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\xampp\mysql\bin\mysqld.exe
    c:\users\Les_New\AppData\Roaming\Mikogo 4\M4-Capture.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    c:\windows\system32\STacSV.exe
    c:\program files\TeamViewer\Version4\TeamViewer_Service.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-12 12:03:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-12 11:02
    .
    Pre-Run: 23,808,303,104 bytes free
    Post-Run: 24,118,120,448 bytes free
    .
    - - End Of File - - 06F7EBB9E8869EBA57EA0B06256B2CCF
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  8. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Thank you. Here in London, the city is suffering from a major hangover now the Olympics has ended. Still, it was fun.
    Anyway, here's the log.
    Les

    ComboFix 12-08-10.02 - Les_New 13/08/2012 12:27:04.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3006.1988 [GMT 1:00]
    Running from: c:\users\Les_New\Desktop\ComboFix.exe
    Command switches used :: c:\users\Les_New\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-13 11:37 . 2012-08-13 11:38 -------- d-----w- c:\users\Les_New\AppData\Local\temp
    2012-08-13 11:37 . 2012-08-13 11:37 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-13 11:19 . 2012-08-13 11:19 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{415A70F3-625C-4A46-9C2F-BAE1124D2762}\MpKslf50cccdf.sys
    2012-08-13 11:19 . 2012-08-13 11:19 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{415A70F3-625C-4A46-9C2F-BAE1124D2762}\offreg.dll
    2012-08-12 11:04 . 2012-07-16 01:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{415A70F3-625C-4A46-9C2F-BAE1124D2762}\mpengine.dll
    2012-08-11 17:17 . 2012-08-11 17:17 -------- d-----w- C:\FRST
    2012-08-08 19:29 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-08-08 19:29 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3C85FE2-8E03-4657-B7C2-4EBB101C4616}\gapaengine.dll
    2012-08-08 19:14 . 2012-08-08 19:14 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-08 18:36 . 2012-08-08 18:38 -------- d-----w- c:\programdata\036E1912194FD0EDD9995CEE2F3B707C
    2012-08-08 18:36 . 2012-08-08 18:36 -------- d-----w- c:\users\Les_New\AppData\Local\{F4A7B302-E187-11E1-8270-B8AC6F996F26}
    2012-08-08 18:35 . 2012-08-08 18:35 -------- d-----w- c:\users\Les_New\AppData\Roaming\Ovis
    2012-08-03 13:39 . 2012-08-03 13:39 -------- d-----w- c:\windows\en
    2012-08-03 13:38 . 2012-03-08 17:32 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
    2012-08-03 13:32 . 2012-08-03 13:32 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2012-08-03 13:25 . 2012-08-03 13:25 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\DSETUP.dll
    2012-08-03 13:25 . 2012-08-03 13:25 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\DXSETUP.exe
    2012-08-03 13:25 . 2012-08-03 13:25 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\636b762e1cd717b02\dsetup32.dll
    2012-08-01 17:32 . 2012-08-04 14:04 -------- d-----w- c:\users\Les_New\AppData\Local\Windows Live
    2012-07-27 15:27 . 2012-07-27 15:27 -------- d-----w- c:\users\Les_New\AppData\Roaming\Nokia
    2012-07-27 15:21 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-28 21:15 . 2012-03-30 17:12 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-28 21:15 . 2011-10-25 18:31 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-28 21:15 . 2012-03-30 17:15 9821896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2012-07-03 12:46 . 2011-10-04 13:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:40 . 2012-07-12 02:15 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-11 04:14 . 2012-06-11 04:14 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-06-05 16:47 . 2012-07-11 06:48 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47 . 2012-07-11 06:48 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26 . 2012-07-11 06:48 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 10:32 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 10:32 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 10:31 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 10:31 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 10:32 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 10:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 10:31 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:53 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-06-02 19:53 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-06-02 14:19 . 2012-06-21 10:31 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12 . 2012-06-21 10:31 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33 . 2012-07-12 02:01 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25 . 2012-07-12 02:01 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25 . 2012-07-12 02:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-12 02:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-12 02:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 00:04 . 2012-07-11 06:48 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03 . 2012-07-11 06:48 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-05-18 20:47 . 2012-05-18 20:47 164168 ----a-w- c:\windows\system32\vrfcore.dll
    2012-05-18 20:47 . 2012-05-18 20:47 87312 ----a-w- c:\windows\system32\vfcompat.dll
    2012-05-18 20:47 . 2012-05-18 20:47 81560 ----a-w- c:\windows\system32\vfnet.dll
    2012-05-18 20:47 . 2012-05-18 20:47 61352 ----a-w- c:\windows\system32\vfnws.dll
    2012-05-18 20:47 . 2012-05-18 20:47 52016 ----a-w- c:\windows\system32\vfcuzz.dll
    2012-05-18 20:47 . 2012-05-18 20:47 367360 ----a-w- c:\windows\system32\vfprintpthelper.dll
    2012-05-18 20:47 . 2012-05-18 20:47 351248 ----a-w- c:\windows\system32\vfbasics.dll
    2012-05-18 20:47 . 2012-05-18 20:47 306560 ----a-w- c:\windows\system32\vfprint.dll
    2012-05-18 20:47 . 2012-05-18 20:47 21432 ----a-w- c:\windows\system32\cuzzapi.dll
    2012-05-18 20:47 . 2012-05-18 20:47 173504 ----a-w- c:\windows\system32\appverif.exe
    2012-05-18 20:47 . 2012-05-18 20:47 40120 ----a-w- c:\windows\system32\vfntlmless.dll
    2012-05-18 20:47 . 2012-05-18 20:47 242736 ----a-w- c:\windows\system32\vfluapriv.dll
    2012-08-06 12:08 . 2011-10-05 14:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MIDI2"=vpnt.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Leslie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
    path=c:\users\Leslie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 11:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-05-30 19:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brother MFL Pro Remote Setup]
    1999-12-02 16:24 194048 ----a-w- c:\windows\twain_32\BRMFLPRO\BRMFRMS.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
    2011-05-26 15:04 1590144 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2006-11-12 01:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
    2006-11-17 21:13 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
    2010-10-12 13:56 979328 ----a-w- c:\program files\EPSON Software\Event Manager\EEventManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
    2012-03-08 17:32 884584 ----a-w- c:\program files\Windows Live\Family Safety\fsui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXRCV]
    2011-03-09 00:00 495616 ----a-w- c:\program files\EPSON Software\FAX Utility\FUFAXRCV.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
    2011-03-09 00:00 856064 ----a-w- c:\program files\EPSON Software\FAX Utility\FUFAXSTM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-02-16 16:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-08-19 00:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
    2010-05-20 14:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-07-03 12:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
    2012-06-08 12:43 5380000 ----a-w- c:\users\Les_New\AppData\Roaming\Mikogo 4\mikogo-host.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
    2011-10-21 12:19 2193000 ----a-w- c:\program files\Nokia\Nokia Music Player\NokiaMusicPlayer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
    2010-02-24 20:17 385928 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-12-08 04:25 7766016 ----a-w- c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-12-08 04:25 81920 ----a-w- c:\windows\System32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
    2006-12-08 04:25 90191 ----a-w- c:\windows\System32\nvsvc.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-04-18 19:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2007-05-06 17:10 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
    2012-07-29 12:43 7601880 ----a-w- c:\users\Les_New\AppData\Roaming\Spotify\spotify.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
    2012-07-29 12:43 1193176 ----a-w- c:\users\Les_New\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2012-06-02 19:53 296056 ----a-w- c:\program files\real\RealPlayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
    2010-05-20 14:27 762736 ----a-w- c:\windows\vVX3000.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
    2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLF50CCCDF
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2011-10-05 13:20 114176 ----a-w- c:\windows\System32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-12 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 11:42]
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 13:50]
    .
    2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 13:50]
    .
    2012-08-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:31]
    .
    2012-08-13 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:31]
    .
    2012-08-13 c:\windows\Tasks\User_Feed_Synchronization-{4410D2A5-866D-4E21-BE58-E2C137396A8C}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    2011-10-05 c:\windows\Tasks\User_Feed_Synchronization-{4B7857AA-85CC-4203-95CC-FA2AF1F610B7}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    2012-08-13 c:\windows\Tasks\User_Feed_Synchronization-{ED38B297-A111-4C4A-9A18-3554545F5267}.job
    - c:\windows\system32\msfeedssync.exe [2011-10-05 13:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/news/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
    DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
    FF - ProfilePath - c:\users\Les_New\AppData\Roaming\Mozilla\Firefox\Profiles\7a39l92k.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-08-13 12:38
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-08-13 12:40:34
    ComboFix-quarantined-files.txt 2012-08-13 11:40
    .
    Pre-Run: 20,676,378,624 bytes free
    Post-Run: 21,653,106,688 bytes free
    .
    - - End Of File - - 9B7C517F43726B310F4016C23FA2F187
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay. :)

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  10. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Fine, thanks. I'll do that overnight tonight with the anti-virus switched off and the broadband disconnected.
     
  11. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Right then, here's the log.
    Les

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=00b9951dd9c4544797ac95a3c0ce8aad
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-15 12:10:00
    # local_time=2012-08-15 01:10:00 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 26363874 26363874 0 0
    # compatibility_mode=5892 16776574 100 100 26996567 182510602 0 0
    # compatibility_mode=8192 67108863 100 0 41175 41175 0 0
    # scanned=301866
    # found=6
    # cleaned=6
    # scan_time=11526
    C:\FRST\Quarantine\{c6c20914-49ac-17aa-db84-306d9719f7f3}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\FRST\Quarantine\{c6c20914-49ac-17aa-db84-306d9719f7f3}\{c6c20914-49ac-17aa-db84-306d9719f7f3}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\Users\Les_New\AppData\Roaming\ldxet.dll.vir a variant of Win32/Medfos.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\Les_New\AppData\Local\{F4A7B302-E187-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\Les_New\Downloads\Computer fix software\cnet_lspfix_zip.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Users\Public\SHARED DOCS lh tt\Utilities & programs\SoftonicDownloader_for_whats-my-computer-doing.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please download DDS by sUBs from BleepingComputer.com or Forospyware.com and save it to your Desktop.

    Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click Yes to the Optional_Scan
    • Please follow the instructions that pop up for posting the results. Post only the contents of both logs.
    • Close the program window, and delete the program from your Desktop.
     
  13. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    I didn't notice any 'optional scan' being offered. Here are the logs.
    Les

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Les_New at 10:42:29 on 2012-08-15
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3006.1838 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\1.3.21.115\GoogleCrashHandler.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Users\Les_New\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    c:\xampp\apache\bin\httpd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Users\Les_New\AppData\Roaming\Mikogo 4\M4-Service.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Users\Les_New\AppData\Roaming\Mikogo 4\M4-Capture.exe
    c:\xampp\mysql\bin\mysqld.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\WUDFHost.exe
    C:\xampp\apache\bin\httpd.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchFilterHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bbc.co.uk/news/
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    uRun: [Spotify Web Helper] "c:\users\les_new\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
    DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.euro.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - hxxps://register.btinternet.com/templates/btwebcontrol028.cab
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{415E46C2-7982-45DE-A495-14F5C4D9D0A3} : DhcpNameServer = 192.168.1.254 192.168.1.254
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\les_new\appdata\roaming\mozilla\firefox\profiles\7a39l92k.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
    FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R1 RapportCerberus_32301;RapportCerberus_32301;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_32301.sys [2011-11-1 227312]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-1 71440]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-1 164112]
    R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2011-9-10 18432]
    R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\common files\epson\epw!3 ssrp\E_JT50RP.EXE [2012-2-3 130944]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
    R2 M4-Service;M4-Service;c:\users\les_new\appdata\roaming\mikogo 4\M4-Service.exe [2012-6-8 1008032]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-4 655944]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-1 931640]
    R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
    R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2010-9-3 185640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-4 22344]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c90d02e9defad0;Google Update Service (gupdate1c90d02e9defad0);c:\program files\google\update\GoogleUpdate.exe [2008-9-2 133104]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-7 160944]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 257224]
    S3 BTUsbrXP(R);BT Voyager 1010 USB Adapter;c:\windows\system32\drivers\btusbrxp.sys [2003-1-21 93056]
    S3 ExpressAccountsService;Express Accounts;c:\program files\nch software\expressaccounts\expressaccounts.exe [2012-3-11 2960900]
    S3 ExpressInvoiceService;Express Invoice;c:\program files\nch software\expressinvoice\expressinvoice.exe [2012-3-11 1987588]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-8-3 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-9-2 133104]
    S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-10-7 21504]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-1 64272]
    S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-7-12 155320]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-08-14 22:24:57 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eb74d040-be64-454e-84c9-cd32ae5dd3cf}\mpengine.dll
    2012-08-14 20:55:55 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-08-14 09:31:39 -------- d-----w- c:\program files\ESET
    2012-08-13 11:40:35 -------- d-----w- c:\users\les_new\appdata\local\temp
    2012-08-13 11:40:02 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-08-12 10:33:56 98816 ----a-w- c:\windows\sed.exe
    2012-08-12 10:33:56 518144 ----a-w- c:\windows\SWREG.exe
    2012-08-12 10:33:56 256000 ----a-w- c:\windows\PEV.exe
    2012-08-12 10:33:56 208896 ----a-w- c:\windows\MBR.exe
    2012-08-11 17:17:26 -------- d-----w- C:\FRST
    2012-08-08 19:29:13 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
    2012-08-08 19:29:13 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e3c85fe2-8e03-4657-b7c2-4ebb101c4616}\gapaengine.dll
    2012-08-08 19:14:17 -------- d-----w- c:\program files\Microsoft Security Client
    2012-08-08 18:36:49 -------- d-----w- c:\programdata\036E1912194FD0EDD9995CEE2F3B707C
    2012-08-08 18:36:31 -------- d-----w- c:\users\les_new\appdata\local\{F4A7B302-E187-11E1-8270-B8AC6F996F26}
    2012-08-08 18:35:32 -------- d-----w- c:\users\les_new\appdata\roaming\Ovis
    2012-08-04 14:04:29 -------- d-----w- c:\users\les_new\appdata\local\{9FC1C706-C763-49FE-B8A7-22D2B1B54B62}
    2012-08-04 02:04:03 -------- d-----w- c:\users\les_new\appdata\local\{29BCABF9-0B12-4570-AD9D-2F0F2965AA3E}
    2012-08-04 02:03:52 -------- d-----w- c:\users\les_new\appdata\local\{A6FA50C1-AF01-4A5C-9182-F20F58491991}
    2012-08-03 14:03:14 -------- d-----w- c:\users\les_new\appdata\local\{09D3C44B-1A8E-4473-A368-DD1527AC14B0}
    2012-08-03 14:03:02 -------- d-----w- c:\users\les_new\appdata\local\{742FFC1C-46E5-41CC-95E3-542AC8F28867}
    2012-08-03 13:39:10 -------- d-----w- c:\windows\en
    2012-08-03 13:38:24 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
    2012-08-03 13:32:32 19720 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
    2012-08-03 13:25:03 89944 ----a-w- c:\program files\common files\windows live\.cache\636b762e1cd717b02\DSETUP.dll
    2012-08-03 13:25:03 537432 ----a-w- c:\program files\common files\windows live\.cache\636b762e1cd717b02\DXSETUP.exe
    2012-08-03 13:25:03 1801048 ----a-w- c:\program files\common files\windows live\.cache\636b762e1cd717b02\dsetup32.dll
    2012-08-03 11:13:09 -------- d-----w- c:\users\les_new\appdata\local\{22592C27-CBD1-42CC-928B-0D45EEE3818A}
    2012-08-02 23:18:26 -------- d-----w- c:\users\les_new\appdata\local\{C8CA92F8-0DAD-44F8-9E07-4DDDC71D4D46}
    2012-08-01 19:07:45 -------- d-----w- c:\users\les_new\appdata\local\{8F50EFF1-658F-4BBE-A26A-F318092F8434}
    2012-08-01 17:32:01 -------- d-----w- c:\users\les_new\appdata\local\Windows Live
    2012-08-01 17:31:42 -------- d-----w- c:\users\les_new\appdata\local\{C2DB3021-0D2D-4AE9-AA23-51BFBDD9F232}
    2012-08-01 17:31:41 -------- d-----w- c:\users\les_new\appdata\local\{30D5056D-FBA0-4AB2-9E68-7C5058D602CD}
    2012-07-27 15:21:06 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    .
    ==================== Find3M ====================
    .
    2012-07-28 21:15:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-28 21:15:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-28 21:15:03 9821896 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 19:53:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-06-02 19:53:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-05-18 20:47:18 164168 ----a-w- c:\windows\system32\vrfcore.dll
    2012-05-18 20:47:16 87312 ----a-w- c:\windows\system32\vfcompat.dll
    2012-05-18 20:47:16 81560 ----a-w- c:\windows\system32\vfnet.dll
    2012-05-18 20:47:16 61352 ----a-w- c:\windows\system32\vfnws.dll
    2012-05-18 20:47:16 52016 ----a-w- c:\windows\system32\vfcuzz.dll
    2012-05-18 20:47:16 367360 ----a-w- c:\windows\system32\vfprintpthelper.dll
    2012-05-18 20:47:16 351248 ----a-w- c:\windows\system32\vfbasics.dll
    2012-05-18 20:47:16 306560 ----a-w- c:\windows\system32\vfprint.dll
    2012-05-18 20:47:16 21432 ----a-w- c:\windows\system32\cuzzapi.dll
    2012-05-18 20:47:16 173504 ----a-w- c:\windows\system32\appverif.exe
    2012-05-18 20:47:14 40120 ----a-w- c:\windows\system32\vfntlmless.dll
    2012-05-18 20:47:14 242736 ----a-w- c:\windows\system32\vfluapriv.dll
    .
    ============= FINISH: 10:43:19.80 ===============
    .
     
  14. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    The second one is 54,000 characters long and suggests I zip it up. How should I send it?
    Les
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Upload it here, please.
     
  16. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Attached.
     

    Attached Files:

  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please run the F-Secure Online Scanner
    • Accept the License Agreement and check the box. Then click on Run Check.
    • [​IMG]
    • It will ask you to Run the Java plugin. Please confirm.
    • Once the download completes, the window for the scanner will launch.
    • Please confirm anymore prompts, and then select Full Scan.
    • The scan will take some time to finish, so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • It will run its cleaning.
    • Click the Full report button and Copy & Paste the entire report (except the bold text at the foot of the page) in your next reply. Once that's done, click the Close button on the scan window.
     
  18. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Here is the log.
    Les

    Computer name: LESLIE-PC
    Scanning type: Scan system for malware, spyware and rootkits
    Target: C:\ D:\
    No malware found


    Statistics

    Scanned:
    • Files: 158608
    • System: 4966
    • Not scanned: 47
    Actions:
    • Disinfected: 0
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0
    Files not scanned:
    • C:\PAGEFILE.SYS
    • C:\XAMPP\TMP\IBD71C.TMP
    • C:\XAMPP\TMP\IBD72C.TMP
    • C:\XAMPP\TMP\IBD7EB.TMP
    • C:\XAMPP\TMP\IBD73D.TMP
    • C:\XAMPP\TMP\IBD74E.TMP
    • C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
    • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
    • C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
    • C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DF1331.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DF3DA9.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DF4188.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DF8A72.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFA507.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFB31B.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFB706.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFB80.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFD005.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFE36E.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\~DFF7B9.TMP
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\HSPERFDATA_LES_NEW\4176
    • C:\USERS\LES_NEW\APPDATA\LOCAL\TEMP\HSPERFDATA_LES_NEW\804
    • C:\SYSTEM VOLUME INFORMATION\{275A991D-DD56-11E1-9C8A-001AA00E2159}{3808876B-C176-4E48-B7AE-04046E6CC752}
    • C:\SYSTEM VOLUME INFORMATION\{1BF83FC8-E594-11E1-B7EB-001AA00E2159}{3808876B-C176-4E48-B7AE-04046E6CC752}
    • C:\SYSTEM VOLUME INFORMATION\{86FA2758-E46B-11E1-B1F3-001AA00E2159}{3808876B-C176-4E48-B7AE-04046E6CC752}
    • C:\QOOBOX\BACKENV\SETPATH.BAT
    • C:\QOOBOX\BACKENV\VIKPEV00
    • C:\PROGRAMDATA\MICROSOFT\WINDOWS\DRM\CACHE\INDIV01.TMP
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2D386FDBFA9DB4EC9FA168743C331D99_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4D96FB27B90009CC0DFC6C097940F8BB_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\42CF96D02AD7FEA688A0ACB9AED1D1FA_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4E9A8201A4A671D5E3433C39FD8944A1_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\49B698FD1CF88662AF7768EC7D424520_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\F3A5A0500022B70AE51A7AC0C06E5638_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DD83982495B2890122B7209EC572B98A_7A32A19B-A9DF-431D-85F5-588C325EB7E2
    • C:\FRST\QUARANTINE\SERVICES.EXE
     
  19. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    PS Towards the end of that scan, MSE was active and seems to have 'disinfected' sirefef several times, according to its history.
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Probably did so from Quarantine of FRST. No biggie.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  21. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    You've been very kind, and it all seems to be running smoothly now. Thank you very much.
    A couple of unexpected things have changed. IE9 would never show History - now it does. But the printer attached to my computer which previously was used by the family network no longer works for them. I've looked at the sharing permissions - disabled and then enabled them again - but can't work out what's causing this. Might be a coincidence.
    The one thing that bothers me is why I got infected by this thing in the first place. I'm a very conservative internet user in that I only visit well-respected sites, don't download dodgy material, and have things generally up to date on my computer.
    Where did I go wrong?
    Les
     
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    I will have prevention tips and will point to an article about infection vectors of Sirefef.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  23. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    Yes, I've completed the tasks listed. Here's the log file.
    Les

    Results of screen317's Security Check version 0.99.44
    Windows Vista Service Pack 2 x86 (UAC is disabled!)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    CCleaner
    Java(TM) 6 Update 29
    Java(TM) 6 Update 22
    Java version out of Date!
    Adobe Flash Player 11.3.300.268
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (14.0.1)
    Mozilla Thunderbird (14.0.)
    Google Chrome 21.0.1180.77
    Google Chrome 21.0.1180.79
    Google Chrome VisualElementsManifest.xml..
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

    Any other questions before I mark this topic solved?
     
  25. Les_H

    Les_H TS Rookie Topic Starter Posts: 16

    All done and all good. Many thanks again.
    Do I click on something on this site to say that I am a happy customer?
    Regards.
    Les
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...