Resolved Sirefef infection accoring to Microsoft Forefront

[Frisian]

Hi all,

I would realy appreciate some help in resolving my issue

According to Microsoft Forefront Security my computer is infected by a Sirefef Trojan. However, if I click solve/clean this problem it will be back in seconds.

I'm running Microsoft Windows XP SP3, Microsoft Forefront security, Ad-aware spyware remove, Spybot search and destroy.

My computer has had an issue before and was solved by our local IT department, however I feel that is was never solved perfectly. I have the laptop now for personal use.

Please help.

Regards,

Frisian

 

[Bobbye]

Please tell me one very important answer:
Are you having any spontaneous issues- so that you cannot run scans?

>>>>>>>>>>IF your answer is No, go ahead with the following<<<<<<<<<<<<<

Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please leave the logs in your next reply.

 

[Frisian]

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.26.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
VanZwolC :: GB002061 [administrator]
Protection: Enabled
26/06/2012 21:25:27
mbam-log-2012-06-26 (21-25-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 325494
Time elapsed: 34 minute(s), 51 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\vanzwolc\Local Settings\Application Data\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n. -> Quarantined and deleted successfully.
Registry Data Items Detected: 5
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\Documents and Settings\vanzwolc\Local Settings\Temp\pkg0u.exe (Trojan.Agent.TRGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\vanzwolc\Local Settings\Temp\E.tmp (Trojan.Ransom.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\vanzwolc\Local Settings\Application Data\rxpqhnduu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\n (Rootkit.0Access) -> Delete on reboot.
C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{54050caa-e597-7ebc-2371-4a978e6b41f2}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\lendej\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
(end)


This is from Malware bytes, however GMER is giving a problem: Error 0xC00010E: cannot create a stable subkey under a volatile parent key

 

[Frisian]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-26 22:52:24
Windows 5.1.2600 Service Pack 3
Running: okvdfdcs.exe; Driver: C:\DOCUME~1\vanzwolc\LOCALS~1\Temp\kxlyqpog.sys

---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\3da21691-e39d-4da6-8a4b-b43877bcb1b7@FlushCacheFiles C:\WINDOWS\SoftwareDistribution\EventCache\{F0BF1A2E-80A3-42EC-92EA-CE5E8A5A35AD}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{D68C7E72-565F-4B42-8E63-E17A843A9003}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{EA27612D-D1C8-4D80-BC04-339CEA2F6B29}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{2B8F972B-A78A-4D12-8FAC-0AAFC26114C4}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{49EE455E-B085-42D9-9AD5-717AF7D4D26B}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{10B5FA8A-E15D-4BE8-A616-5AF92FAAEA14}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{C6506971-A26B-4790-9F74-63DF7AF5D404}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{AC0CCFD9-FFCE-465A-8E3A-A9A108701EB3}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{0A7C916D-F369-4584-B776-1BE7004C51B8}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{9180D5F6-E4C4-44E7-AA5C-B239B20D4F9F}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{E4D552CD-C49E-49CF-BB15-B0AF8444077A}.bin?C:\WINDOWS\SoftwareDistribution\EventCache\{802B53FC-BFE8-48FC-939F-CC9292CD4
---- EOF - GMER 1.0.15 ----
The GMER report, however I could only select the boxes Service, Registy and Files NO: System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries

 

[Frisian]

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by VanZwolC at 22:57:13 on 2012-06-26
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3539.2713 [GMT 2:00]
.
AV: Microsoft Forefront Client Security *Enabled/Outdated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled*
.
============== Running Processes ===============
.
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r190031\stacsv.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Microsoft Internet Explorer provided by CEVA Logistics
uStart Page = hxxp://cevanet.logistics.corp/Pages/default.aspx
uDefault_Page_URL = hxxp://cevanet.logistics.corp/Pages/default.aspx
uInternet Settings,ProxyServer = proxy.gblogistics.co.uk:8080
uInternet Settings,ProxyOverride = hxxp://10.*;.edc.logistics.tnt;*.logistics.corp;*vpn.uk.cevalogistics.com;*.gblogistics.co.uk;*.eaglegl.com;http://13.62.*;citrixgateway.starbucks.net*;*.egl.corp;<local>[/url]
mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk-rel/en/side.html?channel=uk
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DCPstrApp] c:\program files\dell\dell controlpoint\security manager\SecurityDeviceInfoSetRegistryString.exe
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [Wave Systems Corp.] c:\documents and settings\vanzwolc\application data\838B27.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: RunLogonScriptSync = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: btsmartnumbers1.com\www
Trusted Zone: depoelconsulting.com
Trusted Zone: imscan.co.uk\www
Trusted Zone: imscan.net\www
Trusted Zone: lsmgroup.com
Trusted Zone: masternaut.co.uk\www
Trusted Zone: skillport.com
Trusted Zone: skillport.com\eval
Trusted Zone: skillsoft.com
Trusted Zone: uklapp002
Trusted Zone: uklepo001
Trusted Zone: ukllms01
Trusted Zone: uklweb019
Trusted Zone: btsmartnumbers1.com\www
Trusted Zone: depoelconsulting.com
Trusted Zone: imscan.co.uk\www
Trusted Zone: imscan.net\www
Trusted Zone: lsmgroup.com
Trusted Zone: masternaut.co.uk\www
Trusted Zone: skillport.com
Trusted Zone: skillport.com\eval
Trusted Zone: skillsoft.com
Trusted Zone: uklapp002
Trusted Zone: uklepo001
Trusted Zone: ukllms01
Trusted Zone: uklweb019
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/canvasx.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.uk.cevalogistics.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227280743546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290280695277
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://vpn.uk.cevalogistics.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8161DA4A-CF2C-4926-8D29-C3F138FA7FA1} - hxxp://eupdwswebb204.logistics.corp:84/jde/axctls/jdewebctls.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\vanzwolc\application data\mozilla\firefox\profiles\d2skqlez.default\
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\innova-engineering gmbh\3d-viewer-innoplus\npIno3DViewer.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-5-30 21240]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-5-30 335224]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2012-5-30 217976]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-5-3 1226096]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-11 1664248]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2008-7-1 110592]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-8-18 455960]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2011-1-8 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-26 654408]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-5-30 77816]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-9-9 69632]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-5-19 370872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-11-8 108160]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-8 110080]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-26 22344]
R3 mdvdrv;Connectivity Driver;c:\windows\system32\drivers\mdvdrv.sys [2009-5-9 115200]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-2-2 71296]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-5-30 94584]
S1 ftdvqhes;ftdvqhes;\??\c:\windows\system32\drivers\ftdvqhes.sys --> c:\windows\system32\drivers\ftdvqhes.sys [?]
S1 kxudcocj;kxudcocj;\??\c:\windows\system32\drivers\kxudcocj.sys --> c:\windows\system32\drivers\kxudcocj.sys [?]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
S2 AMService;AMService;c:\windows\system32\xotmksushimhgcdutwmuxt.exe run --> c:\windows\system32\xotmksushimhgcdutwmuxt.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-6 136176]
S2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2011-12-19 3289032]
S3 3y4n.sys;3y4n.sys;\??\c:\windows\system32\drivers\3y4n.sys --> c:\windows\system32\drivers\3y4n.sys [?]
S3 7hblk.sys;7hblk.sys;\??\c:\windows\system32\drivers\7hblk.sys --> c:\windows\system32\drivers\7hblk.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 253600]
S3 g7zqafssd.sys;g7zqafssd.sys;\??\c:\windows\system32\drivers\g7zqafssd.sys --> c:\windows\system32\drivers\g7zqafssd.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-6 136176]
S3 ipz4nzupj.sys;ipz4nzupj.sys;\??\c:\windows\system32\drivers\ipz4nzupj.sys --> c:\windows\system32\drivers\ipz4nzupj.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-19 113120]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-5-30 94584]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-5-30 93816]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-26 19:24:03 -------- d-----w- c:\documents and settings\vanzwolc\application data\Malwarebytes
2012-06-26 19:23:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-26 19:23:41 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-26 19:23:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-21 16:57:10 42960 ----a-w- c:\windows\system32\drivers\zhmrneja.sys
2012-06-19 07:37:27 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\Sun
2012-06-18 23:44:08 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKslfe13365c.sys
2012-06-18 23:41:23 -------- d-----w- c:\program files\Oracle
2012-06-18 23:41:08 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-18 23:31:20 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-18 23:31:12 113120 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-06-18 23:31:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-18 23:31:11 157608 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-06-18 23:31:10 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-18 10:10:51 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl87181a9e.sys
2012-06-15 08:32:22 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl2c38377c.sys
2012-06-05 23:49:39 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\MpKsl7ca41a22.sys
2012-06-04 15:59:29 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{ea641888-9bf1-44e0-9298-063b6fb40f00}\mpengine.dll
2012-06-04 13:02:34 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-04 13:02:34 3072 ------w- c:\windows\system32\iacenc.dll
2012-05-30 15:05:04 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\adaware
2012-05-30 15:04:36 93816 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-05-30 15:04:36 77816 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2012-05-30 15:04:36 21240 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2012-05-30 15:04:35 217976 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-05-30 15:04:10 94584 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-05-30 15:04:10 335224 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-05-30 15:04:01 -------- d-----w- c:\windows\system32\drivers\VDD
2012-05-30 15:03:54 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-05-30 15:01:02 -------- d-----w- c:\documents and settings\vanzwolc\local settings\application data\adawarebp
2012-05-30 15:00:56 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2012-05-30 15:00:45 -------- d-----w- c:\program files\Toolbar Cleaner
2012-05-30 15:00:23 -------- d-----w- c:\documents and settings\vanzwolc\application data\adawaretb
2012-05-30 15:00:21 -------- d-----w- c:\program files\adawaretb
2012-05-30 14:59:13 -------- d-----w- c:\documents and settings\vanzwolc\application data\Ad-Aware Antivirus
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-04 17:29:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 17:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-05 16:57:20 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-05 16:57:20 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 23:04:56.70 ===============

 

[Frisian]

ATTACH.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 17/11/2008 13:12:18
System Uptime: 26/06/2012 22:04:01 (1 hours ago)
.
Motherboard: Dell Inc. | | 0DW634
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 23.294 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
32 Bit HP CIO Components Installer
3D-Viewer-innoPlus
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Ad-Aware Security Toolbar
Adobe Acrobat 6.0 Standard - English, Français, Deutsch
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
Adobe Shockwave Player 11.5
All Day Battery Life Configuration
AuthenTec Fingerprint System
BioAPI Framework
biolsp patch
BlackBerry Desktop Software 6.0
Broadcom Management Programs
Broadcom TPM Driver Installer
BTOffer
BufferChm
Cisco AnyConnect VPN Client
Citrix Presentation Server Client
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
Dell Control Point
Dell ControlPoint Connection Manager
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Dell Touchpad
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DJ_AIO_03_F4200_ProductContext
DJ_AIO_03_F4200_Software
DJ_AIO_03_F4200_Software_Min
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
eSupportQFolder
F4200
F4200_Help
Gemalto
Google Update Helper
GPBaseService
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
Hotfix for Windows XP (KB2633952)
HP Customer Participation Program 10.0
HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 3.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
Huawei modem
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 29
Java(TM) 7 Update 5
JavaFX 2.1.1
KPN Mobiel Internet Dashboard
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Forefront Client Security Antimalware Service
Microsoft Forefront Client Security State Assessment Service
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access Runtime (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Operations Manager 2005 Agent
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 13.0.1 (x86 en-GB)
Mozilla Maintenance Service
MSVC80_x86
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
Nokia Multimedia Common Components 2.4
NTRU TCG Software Stack
OGA Notifier 2.0.0048.0
PowerDVD
Preboot Manager
Private Information Manager
PSSWCORE
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Scan
Secure Update
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB953838)
Security Wizards
Segoe UI
SmartWebPrinting
Snapshot Viewer
SolutionCenter
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
Status
TomTom HOME 2.7.4.1962
TomTom HOME Visual Studio Merge Modules
Toolbox
TrayApp
Trusted Drive Manager
tsp patch
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951978)
UPEK TouchChip Fingerprint Reader
VideoToolkit01
Wave Infrastructure Installer
Wave Support Software
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008 1.0.1.5)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live - Hulpprogramma voor uploaden
Windows Live aanmeldhulp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
26/06/2012 22:03:22, error: Service Control Manager [7034] - The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).
26/06/2012 22:03:22, error: Service Control Manager [7034] - The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).
26/06/2012 15:54:09, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AL&threatid=2147657180 Scan ID: {AFF8A008-F831-4159-B2A0-7DC8BF7602BC} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AL ID: 2147657180 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
26/06/2012 13:31:20, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AG&threatid=2147655289 Scan ID: {03E6D61E-EEF1-48C6-8730-AD3D8A3DDD24} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AG ID: 2147655289 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
26/06/2012 12:05:57, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
25/06/2012 23:36:32, error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.AL&threatid=2147657180 Scan ID: {753289F4-4B4D-4631-9422-70AA44C5CD9A} User: LOGISTICS\VanZwolC Name: Trojan:Win32/Sirefef.AL ID: 2147657180 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
25/06/2012 21:17:48, error: FcsSas [10006] - Forefront Client Security State Assessment Service policy applied with errors. Reverted to the following settings: Schedule Type: Interval Time: 12 Parameter:
25/06/2012 21:16:04, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
25/06/2012 21:13:01, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
25/06/2012 21:12:59, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
25/06/2012 21:12:48, error: Service Control Manager [7000] - The DameWare Mini Remote Control service failed to start due to the following error: The system cannot find the file specified.
25/06/2012 21:12:45, error: NETLOGON [5719] - No Domain Controller is available for domain GBLOGISTICS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
25/06/2012 12:18:24, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
25/06/2012 10:15:26, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
25/06/2012 10:15:26, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
25/06/2012 10:14:52, error: Service Control Manager [7022] - The Ad-Aware service hung on starting.
.
==== End Of File ===========================

 

[Frisian]

Update:

When I open Internet Explorer, I have a screen with just 404 not found which is correct, however, it also states nginx/0.6.32 this is new for me and looks nothing like the standard Internet explorer page with no website found.

Furthermore, when I went to this site I got a message box pop up which just states Thank you. the only thing I could do with it is click OK or close it with the X. I have kept it open till further notice. (I can't add it to my favorites)

 

[Bobbye]

Regarding your update
From the many other who had the same problem found in a Google search:

I discovered Panda anti-phishing program had been inadvertently installed. I went to Add or Remove Programs and uninstalled it. Problem was resolved.

Please follow this and remove the program.
==================================
Regarding the malware:
I am concerned about the system security- I was working on this last night when the power went out- I live in West Central Florida and there have been a lot of problems!

1. Microsoft Forefront products protect computer networks, network servers (such as Microsoft Exchange Server and Microsoft SharePoint Server) While it can be used on individual systems, it is usually used to manage Client Security at the Corporate level.
2. Additional security includes:
Sunbelt Personal Firewall NDIS
Mcafee Virusscan Enterprise
Ad-Aware Antivirus
EMBASSY Security Center
3. You have a Cisco VPN.
4. There are 25 Domains in the Trusted Zone including: Exp:
DePoelConsulting> "We help organisations optimise their relationship with recruitment agencies, saving money and adding value."
SlikkPort/SkikllSoft> Learning management to "deploy online employee training for project management or IT."
Imscan which "provides document management, workflow and financial processing solutions."
5. There are several outdated programs running- all vulnerabilities:
Adobe Acrobat 6.0 Standard
Adobe Flash Player 10 Plugin
Adobe Reader 8.3.1
Java(TM) 6 Update 29
Java(TM) 7 Update 5
6. Several drivers and executables that I can't identify.
============================================

My computer has had an issue before and was solved by our local IT department, however I feel that is was never solved perfectly. I have the laptop now for personal use.

Although you state laptop is now for personal use, a large amount of work-related processes still remain on the system. My concern is:
Sirefef/ZeroAccess Rootkit and other assorted Trojans got by all of your security.
Is the server infected?
Is the network infected?
Has the malware gotten on your system from either of the above?
If the malware got into your system alone. can you infect the server or the network?
=============================================
I can have you run Combofix which should remove additional entries and also allow me to see what processes remain:

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
====================================
Please leave the log in your next post for me to review.
===================================
Beyond this: If you are now only using the system as a home PC and not work, I recommend that you do a reformat and reinstall. Tht should clean up the system as well as allow you to only have the processes you are not using.

 

[Frisian]

To understand you well,

1: Should I uninstall all out of date software?

2: About infection from the company server or network: The only benefit with the VPN is that I'm able to see the company Intranet page at home. I'm not able to access any files at a server or shared computer. I used it for home office work. So
I think this is highly unlikely however, some of my direct colleagues did have similar problems and local IT departments first tried to solve it. The final solution was a new laptop because theirs was at end of life for the company because of it's age. And it is the same case for mine now. I do want to take a couple of things from this laptop to the new one and I want to do this safely, that is why I want this laptop cleaned without formatting.

The things I wanted from the laptop also worked without connecting with VPN and if I did connect and went a week later on a business trip to another country I first had to have a call to our service desk to get my e-mail and passwords reset before I could do anything. So in real life I hardly ever used it. Might this have caused these problems?

3: I have deleted all sites from my trusted zone since I don't know any of them.

4: Which drivers can't you identify? for Ex. KPN= a local phone company offering Internet Dongles

5: McAffee should have been deleted in the past and I don't know Embassy Security

6: I'll proceed with Combofix

 

[Bobbye]

Okay, go ahead with Combofix. I will review what I have and make changes if needed.

But I would like you to explain this please:

The final solution was a new laptop because theirs was at end of life for the company because of it's age. And it is the same case for mine now. I do want to take a couple of things from this laptop to the new one and I want to do this safely, that is why I want this laptop cleaned without formatting.

It appears that there is quite a lot of processes on this system you weren't aware of. From a security-and practical-point of view, you should copy what you want to put on the other system, then either wipe this clean or reformat/reinstall.

You and some collegues are having some same problems. That ties in with my suggestions about the server/network connections, don't you think?

Plus it sounds like the office IT doesn't have a solution.

 

[Frisian]

I understand what you mean. I'll inform my management with your suggestion. Although if it where 5 computers total it was a lot already. The solution they offerred is the same as you do just format everything and then reinstall.

I ran Combofix however after the rebout I'm still waiting for the log report. The window shows me:
[Preparing Log Report. Do not run any programs until Combofix is finished]

Your help in this case is very much appreciated!

 

[Bobbye]

If it's been over a few minutes since Combofix ran and the system has rebooted, see if the log is on the system> look for C:\ComboFix.txt

It sounds like everyone who used this system contributed their own files and folders, but when it passed into the next hands, they stayed on the system. Maybe there were some uninstalls, but the 'left overs' weren't removed. Processes for all these security programs are running in addition to what appears to be the main security, Microsoft Forefront\Client Security
Sunbelt Personal Firewall NDIS
Mcafee Virusscan Enterprise
Ad-Aware Antivirus
EMBASSY Security Center
When you have multiple antivirus programs and/or multiple firewalls, the system becomes more vulnerable, not less. These 'multiples' can also slow the system down.
-----------------------------------------
The most current Java v7u5 is on the system. But there is also an outdated version, Java(TM) 6 Update 29, which should be removed.

These are the most current Adobe versions.
As of December 2010, the current main members of the Adobe Acrobat family are:[6]
Adobe Reader X (10.1.2)
Adobe Acrobat X (10.0.0)
Adobe Acrobat X Standard
Adobe Acrobat X Pro
Adobe Acrobat X Suite
All of yours are outdated and are vulnerabilities.
--------------------------------------------
I'll take a look at the Combofix log if you get it up.
--------------------------------------------

I stress again, the system needs to be wiped clean and the OS reinstalled. And if all 5 of the system were infected, the IT needs to find the source!

 

[Frisian]

Bobbye,

Everything you told me so far has made me decide to give this issue fully in hands of someone who is trained to do this.

I've asked a local company to back up my files and reinstal the total system. Since I don't have any of the actual software like Office and Windows they will extract he registration keys (for Windows and Office) and reinstall the total system.

I'd like to thank you very much for your help without your comments I would probably only have is desinfected and still be way to vulnerable for virusses.

Thank you for your efforts! BTW I could not find the Combofix log. According to IT the source has been fake updating pop ups. Through none company websites.

In my opinion help like this should be much more appreciated, how can I thank you for your dedicated assist/help?

 

[Bobbye]

I think you have made a wise decision.

I have this suggestion:
Consider adding Process Monitorafter you get back up and running. Make sure you know what is running- there was a lot of content you weren't aware of.

If you are just making backups of files and folders you created, scan each to make sure you're not putting the malware back into the system. Don't have the tech back up any of the 'unknowns.'

You have thanked me and you're welcome- it was my pleasure. And hopefully you are taking away some helpful suggestions to assist you in troubleshooting in the future