Sirefef infection accoring to Microsoft Forefront

Resolved
By Frisian
Jun 26, 2012
Topic Status:
Not open for further replies.
  1. Hi all,

    I would realy appreciate some help in resolving my issue

    According to Microsoft Forefront Security my computer is infected by a Sirefef Trojan. However, if I click solve/clean this problem it will be back in seconds.

    I'm running Microsoft Windows XP SP3, Microsoft Forefront security, Ad-aware spyware remove, Spybot search and destroy.

    My computer has had an issue before and was solved by our local IT department, however I feel that is was never solved perfectly. I have the laptop now for personal use.

    Please help.

    Regards,

    Frisian
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please tell me one very important answer:
    Are you having any spontaneous issues- so that you cannot run scans?

    >>>>>>>>>>IF your answer is No, go ahead with the following<<<<<<<<<<<<<

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please leave the logs in your next reply.
  3. Frisian

    Frisian Newcomer, in training Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.26.08
    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    VanZwolC :: GB002061 [administrator]
    Protection: Enabled
    26/06/2012 21:25:27
    mbam-log-2012-06-26 (21-25-27).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 325494
    Time elapsed: 34 minute(s), 51 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
    Registry Values Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\vanzwolc\Local Settings\Application Data\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n. -> Quarantined and deleted successfully.
    Registry Data Items Detected: 5
    HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 7
    C:\Documents and Settings\vanzwolc\Local Settings\Temp\pkg0u.exe (Trojan.Agent.TRGen) -> Quarantined and deleted successfully.
    C:\Documents and Settings\vanzwolc\Local Settings\Temp\E.tmp (Trojan.Ransom.XGen) -> Quarantined and deleted successfully.
    C:\Documents and Settings\vanzwolc\Local Settings\Application Data\rxpqhnduu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n (Rootkit.0Access) -> Delete on reboot.
    C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
    C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Documents and Settings\lendej\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
    (end)


    This is from Malware bytes, however GMER is giving a problem: Error 0xC00010E: cannot create a stable subkey under a volatile parent key
  4. Frisian

    Frisian Newcomer, in training Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-06-26 22:52:24
    Windows 5.1.2600 Service Pack 3
    Running: okvdfdcs.exe; Driver: C:\DOCUME~1\vanzwolc\LOCALS~1\Temp\kxlyqpog.sys

    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\3da21691-e39d-4da6-8a4b-b43877bcb1b7@FlushCacheFiles C:\WINDOWS\SoftwareDistribution\EventCache\{F0BF1A2E-80A3-42EC-92EA-CE5E8A5A35AD}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{D68C7E72-565F-4B42-8E63-E17A843A9003}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{EA27612D-D1C8-4D80-BC04-339CEA2F6B29}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{2B8F972B-A78A-4D12-8FAC-0AAFC26114C4}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{49EE455E-B085-42D9-9AD5-717AF7D4D26B}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{10B5FA8A-E15D-4BE8-A616-5AF92FAAEA14}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{C6506971-A26B-4790-9F74-63DF7AF5D404}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{AC0CCFD9-FFCE-465A-8E3A-A9A108701EB3}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{0A7C916D-F369-4584-B776-1BE7004C51B8}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{9180D5F6-E4C4-44E7-AA5C-B239B20D4F9F}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{E4D552CD-C49E-49CF-BB15-B0AF8444077A}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{802B53FC-BFE8-48FC-939F-CC9292CD4
    ---- EOF - GMER 1.0.15 ----
    The GMER report, however I could only select the boxes Service, Registy and Files NO: System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries
  5. Frisian

    Frisian Newcomer, in training Topic Starter

    DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
    Run by VanZwolC at 22:57:13 on 2012-06-26
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3539.2713 [GMT 2:00]
    .
    AV: Microsoft Forefront Client Security *Enabled/Outdated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
    AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
    FW: Lavasoft Ad-Aware *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Fingerprint Sensor\AtService.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\drivers\audio\r190031\stacsv.exe
    svchost.exe
    C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
    C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
    C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\BtTray.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uWindow Title = Microsoft Internet Explorer provided by CEVA Logistics
    uStart Page = hxxp://cevanet.logistics.corp/Pages/default.aspx
    uDefault_Page_URL = hxxp://cevanet.logistics.corp/Pages/default.aspx
    uInternet Settings,ProxyServer = proxy.gblogistics.co.uk:8080
    uInternet Settings,ProxyOverride = hxxp://10.*;http://*.edc.logistics.tnt;*.logist...trixgateway.starbucks.net*;*.egl.corp;<local>
    mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
    mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
    mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
    mRun: [DCPstrApp] c:\program files\dell\dell controlpoint\security manager\SecurityDeviceInfoSetRegistryString.exe
    mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
    mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
    mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    uExplorerRun: [Wave Systems Corp.] c:\documents and settings\vanzwolc\application data\838B27.exe
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    mPolicies-system: RunLogonScriptSync = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: btsmartnumbers1.com\www
    Trusted Zone: depoelconsulting.com
    Trusted Zone: imscan.co.uk\www
    Trusted Zone: imscan.net\www
    Trusted Zone: lsmgroup.com
    Trusted Zone: masternaut.co.uk\www
    Trusted Zone: skillport.com
    Trusted Zone: skillport.com\eval
    Trusted Zone: skillsoft.com
    Trusted Zone: uklapp002
    Trusted Zone: uklepo001
    Trusted Zone: ukllms01
    Trusted Zone: uklweb019
    Trusted Zone: btsmartnumbers1.com\www
    Trusted Zone: depoelconsulting.com
    Trusted Zone: imscan.co.uk\www
    Trusted Zone: imscan.net\www
    Trusted Zone: lsmgroup.com
    Trusted Zone: masternaut.co.uk\www
    Trusted Zone: skillport.com
    Trusted Zone: skillport.com\eval
    Trusted Zone: skillsoft.com
    Trusted Zone: uklapp002
    Trusted Zone: uklepo001
    Trusted Zone: ukllms01
    Trusted Zone: uklweb019
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/canvasx.cab
    DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.uk.cevalogistics.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227280743546
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290280695277
    DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://vpn.uk.cevalogistics.com/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {8161DA4A-CF2C-4926-8D29-C3F138FA7FA1} - hxxp://eupdwswebb204.logistics.corp:84/jde/axctls/jdewebctls.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    Notify: TPSvc - TPSvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    LSA: Authentication Packages = msv1_0 wvauth
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\vanzwolc\application data\mozilla\firefox\profiles\d2skqlez.default\
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\innova-engineering gmbh\3d-viewer-innoplus\npIno3DViewer.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-5-30 21240]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-5-30 335224]
    R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2012-5-30 217976]
    R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-5-3 1226096]
    R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-11 1664248]
    R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]
    R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2011-1-8 16896]
    R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-26 654408]
    R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-5-30 77816]
    R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-9-9 69632]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-5-19 370872]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-11-8 108160]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-8 110080]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-26 22344]
    R3 mdvdrv;Connectivity Driver;c:\windows\system32\drivers\mdvdrv.sys [2009-5-9 115200]
    R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-2-2 71296]
    R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-5-30 94584]
    S1 ftdvqhes;ftdvqhes;\??\c:\windows\system32\drivers\ftdvqhes.sys --> c:\windows\system32\drivers\ftdvqhes.sys [?]
    S1 kxudcocj;kxudcocj;\??\c:\windows\system32\drivers\kxudcocj.sys --> c:\windows\system32\drivers\kxudcocj.sys [?]
    S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
    S2 AMService;AMService;c:\windows\system32\xotmksushimhgcdutwmuxt.exe run --> c:\windows\system32\xotmksushimhgcdutwmuxt.exe run [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-6 136176]
    S2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2011-12-19 3289032]
    S3 3y4n.sys;3y4n.sys;\??\c:\windows\system32\drivers\3y4n.sys --> c:\windows\system32\drivers\3y4n.sys [?]
    S3 7hblk.sys;7hblk.sys;\??\c:\windows\system32\drivers\7hblk.sys --> c:\windows\system32\drivers\7hblk.sys [?]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 253600]
    S3 g7zqafssd.sys;g7zqafssd.sys;\??\c:\windows\system32\drivers\g7zqafssd.sys --> c:\windows\system32\drivers\g7zqafssd.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-6 136176]
    S3 ipz4nzupj.sys;ipz4nzupj.sys;\??\c:\windows\system32\drivers\ipz4nzupj.sys --> c:\windows\system32\drivers\ipz4nzupj.sys [?]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-19 113120]
    S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-5-30 94584]
    S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-5-30 93816]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-06-26 19:24:03 -------- d-----w- c:\documents and settings\vanzwolc\application data\Malwarebytes
    2012-06-26 19:23:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-06-26 19:23:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-26 19:23:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-21 16:57:10 42960 ----a-w- c:\windows\system32\drivers\zhmrneja.sys
    2012-06-19 07:37:27 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\Sun
    2012-06-18 23:44:08 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKslfe13365c.sys
    2012-06-18 23:41:23 -------- d-----w- c:\program files\Oracle
    2012-06-18 23:41:08 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-06-18 23:31:20 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-06-18 23:31:12 113120 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
    2012-06-18 23:31:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
    2012-06-18 23:31:11 157608 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
    2012-06-18 23:31:10 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
    2012-06-18 10:10:51 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl87181a9e.sys
    2012-06-15 08:32:22 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl2c38377c.sys
    2012-06-05 23:49:39 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl7ca41a22.sys
    2012-06-04 15:59:29 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\mpengine.dll
    2012-06-04 13:02:34 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-06-04 13:02:34 3072 ------w- c:\windows\system32\iacenc.dll
    2012-05-30 15:05:04 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\adaware
    2012-05-30 15:04:36 93816 ----a-w- c:\windows\system32\drivers\sbhips.sys
    2012-05-30 15:04:36 77816 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2012-05-30 15:04:36 21240 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2012-05-30 15:04:35 217976 ----a-w- c:\windows\system32\drivers\sbtis.sys
    2012-05-30 15:04:10 94584 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
    2012-05-30 15:04:10 335224 ----a-w- c:\windows\system32\drivers\SbFw.sys
    2012-05-30 15:04:01 -------- d-----w- c:\windows\system32\drivers\VDD
    2012-05-30 15:03:54 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-05-30 15:01:02 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\adawarebp
    2012-05-30 15:00:56 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
    2012-05-30 15:00:45 -------- d-----w- c:\program files\Toolbar Cleaner
    2012-05-30 15:00:23 -------- d-----w- c:\documents and settings\vanzwolc\application data\adawaretb
    2012-05-30 15:00:21 -------- d-----w- c:\program files\adawaretb
    2012-05-30 14:59:13 -------- d-----w- c:\documents and settings\vanzwolc\application data\Ad-Aware Antivirus
    .
    ==================== Find3M ====================
    .
    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-04 17:29:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
    2012-05-04 17:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-05 16:57:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-05 16:57:20 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    ============= FINISH: 23:04:56.70 ===============
  6. Frisian

    Frisian Newcomer, in training Topic Starter

    ATTACH.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 17/11/2008 13:12:18
    System Uptime: 26/06/2012 22:04:01 (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0DW634
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 23.294 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    32 Bit HP CIO Components Installer
    3D-Viewer-innoPlus
    Ad-Aware Antivirus
    Ad-Aware Browsing Protection
    Ad-Aware Security Toolbar
    Adobe Acrobat 6.0 Standard - English, Fran├žais, Deutsch
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.3.1
    Adobe Shockwave Player 11.5
    All Day Battery Life Configuration
    AuthenTec Fingerprint System
    BioAPI Framework
    biolsp patch
    BlackBerry Desktop Software 6.0
    Broadcom Management Programs
    Broadcom TPM Driver Installer
    BTOffer
    BufferChm
    Cisco AnyConnect VPN Client
    Citrix Presentation Server Client
    Compatibility Pack for the 2007 Office system
    Copy
    CustomerResearchQFolder
    Dell Control Point
    Dell ControlPoint Connection Manager
    Dell ControlPoint Security Manager
    Dell ControlPoint System Manager
    Dell Embassy Trust Suite by Wave Systems
    Dell Security Device Driver Pack
    Dell Touchpad
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DJ_AIO_03_F4200_ProductContext
    DJ_AIO_03_F4200_Software
    DJ_AIO_03_F4200_Software_Min
    Document Manager Lite
    EMBASSY Security Center
    EMBASSY Security Setup
    ESC Home Page Plugin
    eSupportQFolder
    F4200
    F4200_Help
    Gemalto
    Google Update Helper
    GPBaseService
    GPBaseService2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
    Hotfix for Windows XP (KB2633952)
    HP Customer Participation Program 10.0
    HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
    HP Imaging Device Functions 10.0
    HP Photosmart Essential 3.5
    HP Smart Web Printing 4.60
    HP Solution Center 13.0
    HP Update
    HPDiagnosticAlert
    HPPhotoSmartDiscLabelContent1
    HPPhotosmartEssential
    HPProductAssistant
    Huawei modem
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 7 Update 5
    JavaFX 2.1.1
    KPN Mobiel Internet Dashboard
    Malwarebytes Anti-Malware version 1.61.0.1400
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Forefront Client Security Antimalware Service
    Microsoft Forefront Client Security State Assessment Service
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access Runtime (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Operations Manager 2005 Agent
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 13.0.1 (x86 en-GB)
    Mozilla Maintenance Service
    MSVC80_x86
    MSVCRT
    MSVCSetup
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Nokia Connectivity Cable Driver
    Nokia Multimedia Common Components 2.4
    NTRU TCG Software Stack
    OGA Notifier 2.0.0048.0
    PowerDVD
    Preboot Manager
    Private Information Manager
    PSSWCORE
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Scan
    Secure Update
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB953838)
    Security Wizards
    Segoe UI
    SmartWebPrinting
    Snapshot Viewer
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Spybot - Search & Destroy
    Status
    TomTom HOME 2.7.4.1962
    TomTom HOME Visual Studio Merge Modules
    Toolbox
    TrayApp
    Trusted Drive Manager
    tsp patch
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB951978)
    UPEK TouchChip Fingerprint Reader
    VideoToolkit01
    Wave Infrastructure Installer
    Wave Support Software
    WebFldrs XP
    WebReg
    WIDCOMM Bluetooth Software
    Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live - Hulpprogramma voor uploaden
    Windows Live aanmeldhulp
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    26/06/2012 22:03:22, error: Service Control Manager [7034] - The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).
    26/06/2012 22:03:22, error: Service Control Manager [7034] - The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).
    26/06/2012 15:54:09, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AL&threatid=2147657180 Scan ID: {AFF8A008-F831-4159-B2A0-7DC8BF7602BC} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AL ID: 2147657180 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
    26/06/2012 13:31:20, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AG&threatid=2147655289 Scan ID: {03E6D61E-EEF1-48C6-8730-AD3D8A3DDD24} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AG ID: 2147655289 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
    26/06/2012 12:05:57, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
    25/06/2012 23:36:32, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AL&threatid=2147657180 Scan ID: {753289F4-4B4D-4631-9422-70AA44C5CD9A} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AL ID: 2147657180 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
    25/06/2012 21:17:48, error: FcsSas [10006] - Forefront Client Security State Assessment Service policy applied with errors. Reverted to the following settings: Schedule Type: Interval Time: 12 Parameter:
    25/06/2012 21:16:04, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    25/06/2012 21:13:01, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    25/06/2012 21:12:59, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    25/06/2012 21:12:48, error: Service Control Manager [7000] - The DameWare Mini Remote Control service failed to start due to the following error: The system cannot find the file specified.
    25/06/2012 21:12:45, error: NETLOGON [5719] - No Domain Controller is available for domain GBLOGISTICS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    25/06/2012 12:18:24, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
    25/06/2012 10:15:26, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    25/06/2012 10:15:26, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    25/06/2012 10:14:52, error: Service Control Manager [7022] - The Ad-Aware service hung on starting.
    .
    ==== End Of File ===========================
  7. Frisian

    Frisian Newcomer, in training Topic Starter

    Update:

    When I open Internet Explorer, I have a screen with just 404 not found which is correct, however, it also states nginx/0.6.32 this is new for me and looks nothing like the standard Internet explorer page with no website found.

    Furthermore, when I went to this site I got a message box pop up which just states Thank you. the only thing I could do with it is click OK or close it with the X. I have kept it open till further notice. (I can't add it to my favorites)
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Regarding your update
    From the many other who had the same problem found in a Google search:
    Please follow this and remove the program.
    ==================================
    Regarding the malware:
    I am concerned about the system security- I was working on this last night when the power went out- I live in West Central Florida and there have been a lot of problems!

    1. Microsoft Forefront products protect computer networks, network servers (such as Microsoft Exchange Server and Microsoft SharePoint Server) While it can be used on individual systems, it is usually used to manage Client Security at the Corporate level.
    2. Additional security includes:
    Sunbelt Personal Firewall NDIS
    Mcafee Virusscan Enterprise
    Ad-Aware Antivirus
    EMBASSY Security Center
    3. You have a Cisco VPN.
    4. There are 25 Domains in the Trusted Zone including: Exp:
    DePoelConsulting> "We help organisations optimise their relationship with recruitment agencies, saving money and adding value."
    SlikkPort/SkikllSoft> Learning management to "deploy online employee training for project management or IT."
    Imscan which "provides document management, workflow and financial processing solutions."
    5. There are several outdated programs running- all vulnerabilities:
    Adobe Acrobat 6.0 Standard
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.3.1
    Java(TM) 6 Update 29
    Java(TM) 7 Update 5
    6. Several drivers and executables that I can't identify.
    ============================================
    Although you state laptop is now for personal use, a large amount of work-related processes still remain on the system. My concern is:
    Sirefef/ZeroAccess Rootkit and other assorted Trojans got by all of your security.
    Is the server infected?
    Is the network infected?
    Has the malware gotten on your system from either of the above?
    If the malware got into your system alone. can you infect the server or the network?
    =============================================
    I can have you run Combofix which should remove additional entries and also allow me to see what processes remain:

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HERE and save to the desktop
      • Double click combofix.exe & follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Please leave the log in your next post for me to review.
    ===================================
    Beyond this: If you are now only using the system as a home PC and not work, I recommend that you do a reformat and reinstall. Tht should clean up the system as well as allow you to only have the processes you are not using.
  9. Frisian

    Frisian Newcomer, in training Topic Starter

    To understand you well,

    1: Should I uninstall all out of date software?

    2: About infection from the company server or network: The only benefit with the VPN is that I'm able to see the company Intranet page at home. I'm not able to access any files at a server or shared computer. I used it for home office work. So
    I think this is highly unlikely however, some of my direct colleagues did have similar problems and local IT departments first tried to solve it. The final solution was a new laptop because theirs was at end of life for the company because of it's age. And it is the same case for mine now. I do want to take a couple of things from this laptop to the new one and I want to do this safely, that is why I want this laptop cleaned without formatting.

    The things I wanted from the laptop also worked without connecting with VPN and if I did connect and went a week later on a business trip to another country I first had to have a call to our service desk to get my e-mail and passwords reset before I could do anything. So in real life I hardly ever used it. Might this have caused these problems?

    3: I have deleted all sites from my trusted zone since I don't know any of them.

    4: Which drivers can't you identify? for Ex. KPN= a local phone company offering Internet Dongles

    5: McAffee should have been deleted in the past and I don't know Embassy Security

    6: I'll proceed with Combofix
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, go ahead with Combofix. I will review what I have and make changes if needed.

    But I would like you to explain this please:
    It appears that there is quite a lot of processes on this system you weren't aware of. From a security-and practical-point of view, you should copy what you want to put on the other system, then either wipe this clean or reformat/reinstall.

    You and some collegues are having some same problems. That ties in with my suggestions about the server/network connections, don't you think?

    Plus it sounds like the office IT doesn't have a solution.
  11. Frisian

    Frisian Newcomer, in training Topic Starter

    I understand what you mean. I'll inform my management with your suggestion. Although if it where 5 computers total it was a lot already. The solution they offerred is the same as you do just format everything and then reinstall.

    I ran Combofix however after the rebout I'm still waiting for the log report. The window shows me:
    [Preparing Log Report. Do not run any programs until Combofix is finished]

    Your help in this case is very much appreciated!
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If it's been over a few minutes since Combofix ran and the system has rebooted, see if the log is on the system> look for C:\ComboFix.txt

    It sounds like everyone who used this system contributed their own files and folders, but when it passed into the next hands, they stayed on the system. Maybe there were some uninstalls, but the 'left overs' weren't removed. Processes for all these security programs are running in addition to what appears to be the main security, Microsoft Forefront\Client Security
    Sunbelt Personal Firewall NDIS
    Mcafee Virusscan Enterprise
    Ad-Aware Antivirus
    EMBASSY Security Center
    When you have multiple antivirus programs and/or multiple firewalls, the system becomes more vulnerable, not less. These 'multiples' can also slow the system down.
    -----------------------------------------
    The most current Java v7u5 is on the system. But there is also an outdated version, Java(TM) 6 Update 29, which should be removed.

    These are the most current Adobe versions.
    As of December 2010, the current main members of the Adobe Acrobat family are:[6]
    Adobe Reader X (10.1.2)
    Adobe Acrobat X (10.0.0)
    Adobe Acrobat X Standard
    Adobe Acrobat X Pro
    Adobe Acrobat X Suite
    All of yours are outdated and are vulnerabilities.
    --------------------------------------------
    I'll take a look at the Combofix log if you get it up.
    --------------------------------------------

    I stress again, the system needs to be wiped clean and the OS reinstalled. And if all 5 of the system were infected, the IT needs to find the source!
  13. Frisian

    Frisian Newcomer, in training Topic Starter

    Bobbye,

    Everything you told me so far has made me decide to give this issue fully in hands of someone who is trained to do this.

    I've asked a local company to back up my files and reinstal the total system. Since I don't have any of the actual software like Office and Windows they will extract he registration keys (for Windows and Office) and reinstall the total system.

    I'd like to thank you very much for your help without your comments I would probably only have is desinfected and still be way to vulnerable for virusses.

    Thank you for your efforts! BTW I could not find the Combofix log. According to IT the source has been fake updating pop ups. Through none company websites.

    In my opinion help like this should be much more appreciated, how can I thank you for your dedicated assist/help?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think you have made a wise decision.

    I have this suggestion:
    Consider adding Process Monitorafter you get back up and running. Make sure you know what is running- there was a lot of content you weren't aware of.

    If you are just making backups of files and folders you created, scan each to make sure you're not putting the malware back into the system. Don't have the tech back up any of the 'unknowns.'

    You have thanked me and you're welcome- it was my pleasure. And hopefully you are taking away some helpful suggestions to assist you in troubleshooting in the future
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.