win32/Sirefef.AC infection

[skelly99]

Hi - my laptop has been infected with the Sirefef virus. MSE is repeatedly reporting the issue and although I am requesting removal each time it still reappears.

I have ran a quick scan with the Malwarebytes' Anti-Malware product which appeared to run cleanly reporting no errors. However MSE has reported the Sirefef virus again since the scan was ran.

DDS and attach logs below. All help is much appreciated. Thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by STEVE at 14:03:38 on 2012-04-10

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3002.1583 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\IBM\Lotus\Notes\nsd.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\lxdrcoms.exe

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Napster\napster.exe

C:\Program Files\Lexmark 4900 Series\lxdrmon.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Lexmark 4900 Series\lxdrMsdMon.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe

C:\Users\STEVE\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\notepad.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyServer = 127.0.0.1:8080

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [iSUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler

uRun: [Google Update] "c:\users\steve\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s

mRun: [Acer ePower Management] c:\program files\acer\acer powersmart manager\ePowerTrayLauncher.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [lxdrmon.exe] "c:\program files\lexmark 4900 series\lxdrmon.exe"

mRun: [lxdramon] "c:\program files\lexmark 4900 series\lxdramon.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\steve\appdata\roaming\dropbox\bin\Dropbox.exe

StartupFolder: c:\users\steve\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: rbs.com

Trusted Zone: rbsgrp.net

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\users\steve\appdata\local\temp\f5tmp\urxvpn.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - c:\users\steve\appdata\local\temp\f5tmp\f5tunsrv.cab

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\users\steve\appdata\local\temp\ixp000.tmp\InstallerControl.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab

DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - c:\users\steve\appdata\local\temp\f5tmp\f5opswati.cab

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - c:\users\steve\appdata\local\temp\f5tmp\f5InspectionHost.cab

DPF: {6CE31B8D-8340-4DBD-B78E-BF59620924DC} - hxxp://www.quest3d.com/webplugin/download/quest3dactivex2.cab

DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - c:\users\steve\appdata\local\temp\f5tmp\vdeskctrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - c:\users\steve\appdata\local\temp\f5tmp\urxshost.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://informatica.webex.com/client/T27L10NSP11EP5/webex/ieatgpc1.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - c:\users\steve\appdata\local\temp\f5tmp\urxhost.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - c:\users\steve\appdata\local\temp\f5tmp\f5syschk.cab

DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - c:\users\steve\appdata\local\temp\f5tmp\f5opswati.cab

TCP: DhcpNameServer = 62.24.243.1 62.24.202.6

TCP: Interfaces\{6F91AF8A-B103-49C4-B4BF-8384BF26FDAF} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8} : DhcpNameServer = 62.24.243.1 62.24.202.6

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8}\245624F68763031303 : DhcpNameServer = 87.194.255.154

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8}\2456C6B696E6F5E413F575962756C6563737F5442403236444 : DhcpNameServer = 192.168.2.1 192.168.2.1 194.168.4.100 194.168.8.100

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8}\65F6461666F6E656D4F62696C65675966496D2547334138303 : DhcpNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8}\75946494F5252435F57457563747 : DhcpNameServer = 213.75.63.36 213.75.63.70

TCP: Interfaces\{B3F4E8F4-8741-4A79-9EC8-D134C40951D8}\D6164686F6573756 : DhcpNameServer = 192.168.0.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-2-8 172032]

R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer powersmart manager\ePowerSvc.exe [2010-1-21 703008]

R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2008-12-6 3315080]

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-10 654408]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-2-8 5174272]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-2-8 110080]

R3 intelkmd;intelkmd;c:\windows\system32\drivers\igdpmd32.sys [2010-2-8 5946368]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-10 50688]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-10 22344]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-4-10 40776]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpnwlh.sys [2010-6-17 34936]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdrserv.exe [2010-3-4 94208]

S2 vetmonnt;Rksample;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]

S2 webrootadminconsole;WcesComm;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 253600]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2011-10-4 13944]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-12-27 31124344]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 43392]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]

.

=============== Created Last 30 ================

.

2012-04-10 12:40:42 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-04-10 12:40:42 -------- d-----w- c:\users\steve\appdata\roaming\Malwarebytes

2012-04-10 12:40:29 -------- d-----w- c:\programdata\Malwarebytes

2012-04-10 12:40:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-10 12:40:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-10 12:34:23 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a712b43-9492-4cb2-9905-c2817e949a46}\offreg.dll

2012-04-09 21:50:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-04-09 21:50:53 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-04-09 21:28:07 -------- d-----w- c:\users\steve\appdata\local\Sonos,_Inc

2012-04-09 21:25:04 -------- d-----w- c:\programdata\Sonos,_Inc

2012-04-09 20:59:33 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-09 20:59:28 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-04-09 16:55:11 -------- d-----w- c:\windows\Downloaded Installations

2012-04-09 15:00:24 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2012-04-09 15:00:24 49472 ----a-w- c:\windows\system32\netfxperf.dll

2012-04-09 15:00:24 297808 ----a-w- c:\windows\system32\mscoree.dll

2012-04-09 15:00:24 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2012-04-09 15:00:23 1130824 ----a-w- c:\windows\system32\dfshim.dll

2012-04-09 14:36:02 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a712b43-9492-4cb2-9905-c2817e949a46}\mpengine.dll

2012-03-29 22:00:27 -------- d-----w- c:\programdata\Windows

2012-03-27 07:18:04 -------- d-----w- c:\users\steve\appdata\local\{F48C5AEF-583F-4DBB-969F-AAA469DF996B}

2012-03-27 07:17:53 -------- d-----w- c:\users\steve\appdata\local\{26DC1025-391B-43F5-8B2F-FA5D412A8F8F}

.

==================== Find3M ====================

.

2012-04-09 20:59:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 14:05:06.57 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 11/01/2010 21:37:27

System Uptime: 10/04/2012 13:33:39 (1 hours ago)

.

Motherboard: Acer | | Aspire 5810T

Processor: Intel® Core2 Duo CPU U9400 @ 1.40GHz | CPU | 1401/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 456 GiB total, 256.85 GiB free.

D: is CDROM (CDFS)

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP477: 19/02/2012 01:48:11 - Windows Update

RP478: 22/02/2012 08:54:32 - Windows Update

RP479: 24/02/2012 17:43:55 - Windows Update

RP480: 25/02/2012 21:20:23 - Windows Update

RP481: 27/02/2012 08:38:53 - Windows Update

RP482: 28/02/2012 10:28:27 - Windows Update

RP483: 28/02/2012 18:31:21 - Windows Update

RP484: 01/03/2012 07:52:16 - Windows Update

RP485: 02/03/2012 08:03:24 - Windows Update

RP486: 03/03/2012 18:17:25 - Windows Update

RP487: 04/03/2012 20:34:54 - Windows Update

RP488: 05/03/2012 08:28:19 - Installed Google SketchUp 8

RP489: 05/03/2012 21:04:00 - Windows Update

RP490: 07/03/2012 07:48:43 - Windows Update

RP491: 09/03/2012 09:10:37 - Windows Update

RP492: 12/03/2012 10:20:14 - Windows Update

RP493: 13/03/2012 11:21:17 - Windows Update

RP494: 15/03/2012 07:35:12 - Windows Update

RP495: 16/03/2012 10:10:33 - Windows Update

RP496: 17/03/2012 22:29:15 - Windows Update

RP497: 19/03/2012 08:40:05 - Windows Update

RP498: 21/03/2012 13:39:47 - Windows Update

RP499: 22/03/2012 21:24:19 - Windows Update

RP500: 23/03/2012 18:13:05 - Windows Update

RP501: 24/03/2012 21:37:06 - Windows Update

RP502: 26/03/2012 08:53:39 - Windows Update

RP503: 27/03/2012 12:44:37 - Windows Update

RP504: 27/03/2012 18:13:13 - Windows Update

RP505: 30/03/2012 08:47:57 - Windows Update

RP506: 31/03/2012 21:03:48 - Windows Update

RP507: 02/04/2012 09:20:50 - Windows Update

RP508: 06/04/2012 16:09:43 - Windows Update

RP510: 09/04/2012 11:52:57 - Windows Update

RP511: 09/04/2012 15:59:32 - Windows Update

RP512: 09/04/2012 22:25:40 - Installed Sonos Controller.

RP514: 09/04/2012 22:43:11 - ARO 2012 - Before Installation

RP516: 09/04/2012 22:44:06 - ARO 2012 - FIRST RUN

.

==== Installed Programs ======================

.

2007 Microsoft Office Suite Service Pack 2 (SP2)

Acer PowerSmart Manager

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

Amazon Kindle

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI AVIVO Codecs

ATI Catalyst Install Manager

Bonjour

Brother MFL-Pro Suite MFC-J6510DW

BulkSMS Community Messenger

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Cisco Network Magic

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

CutePDF Writer 2.8

D3DX10

Dropbox

FreeMind

Google Chrome

Google SketchUp 8

HOWZAT!

iCloud

iTunes

Java Auto Updater

Java 6 Update 29

Lexmark 4900 Series

Lexmark Printable Web

Lexmark Tools for Office

Lotus Notes 8.5 (Basic)

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 4 Client Profile

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Project 2007 Service Pack 2 (SP2)

Microsoft Office Project MUI (English) 2007

Microsoft Office Project Professional 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2007

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Visio 2007 Service Pack 2 (SP2)

Microsoft Office Visio MUI (English) 2007

Microsoft Office Visio Professional 2007

Microsoft Office Word MUI (English) 2010

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

MobileMe Control Panel

MSVCRT

Napster

Napster Burn Engine

Network Magic

Pure Networks Platform

PX Profile Update

QuickTime

Realtek High Definition Audio Driver

Remote Mouse version 1.09

Safari

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Skype Toolbars

Skype™ 4.2

Sonos Controller

Spotify

Synaptics Pointing Device Driver

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Project 2007 Help (KB963668)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Visio 2007 Help (KB963666)

VirtualCloneDrive

Vodafone Mobile Connect Lite

WebEx

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Media Player Firefox Plugin

.

==== Event Viewer Messages From Past Week ========

.

10/04/2012 14:00:06, Error: Service Control Manager [7023] - The Dklogger service terminated with the following error: Access is denied.

10/04/2012 13:45:06, Error: Service Control Manager [7023] - The Rksample service terminated with the following error: Access is denied.

10/04/2012 13:44:06, Error: Service Control Manager [7023] - The Vsbus service terminated with the following error: Access is denied.

10/04/2012 13:35:56, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.

10/04/2012 13:35:36, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

10/04/2012 13:35:07, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

10/04/2012 13:34:36, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.

10/04/2012 13:34:27, Error: Service Control Manager [7023] - The Slave service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:24, Error: Service Control Manager [7023] - The WcesComm service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:24, Error: Service Control Manager [7023] - The Symappcore service terminated with the following error: Access is denied.

10/04/2012 13:34:24, Error: Service Control Manager [7023] - The Si3132r5 service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:24, Error: Service Control Manager [7023] - The NMSAccessU service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:24, Error: Service Control Manager [7023] - The CTMSHD service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:24, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxdrCATSCustConnectService service to connect.

10/04/2012 13:34:24, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

10/04/2012 13:34:24, Error: Service Control Manager [7000] - The lxdrCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Tsscoreservice service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Thinkpadmodemservice service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Srservice service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Se58nd5 service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The NxFsMon service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Nvstor64 service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Iksyssec service terminated with the following error: The specified module could not be found.

10/04/2012 13:34:19, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

10/04/2012 13:34:19, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

10/04/2012 13:15:36, Error: Service Control Manager [7023] - The Tsscoreservice service terminated with the following error: Access is denied.

10/04/2012 08:56:15, Error: Service Control Manager [7023] - The Iksyssec service terminated with the following error: Access is denied.

10/04/2012 08:41:16, Error: Service Control Manager [7023] - The Lxcf_device service terminated with the following error: Access is denied.

10/04/2012 08:26:15, Error: Service Control Manager [7023] - The Thinkpadmodemservice service terminated with the following error: Access is denied.

09/04/2012 23:30:29, Error: Service Control Manager [7023] - The Se58nd5 service terminated with the following error: Access is denied.

09/04/2012 23:15:29, Error: Service Control Manager [7023] - The Si3132r5 service terminated with the following error: Access is denied.

09/04/2012 23:11:30, Error: Service Control Manager [7023] - The NMSAccessU service terminated with the following error: Access is denied.

09/04/2012 23:00:29, Error: Service Control Manager [7023] - The Srservice service terminated with the following error: Access is denied.

09/04/2012 22:45:29, Error: Service Control Manager [7023] - The NxFsMon service terminated with the following error: Access is denied.

09/04/2012 22:36:30, Error: Service Control Manager [7023] - The Slave service terminated with the following error: Access is denied.

09/04/2012 22:30:29, Error: Service Control Manager [7023] - The WcesComm service terminated with the following error: Access is denied.

09/04/2012 22:15:29, Error: Service Control Manager [7023] - The Nvstor64 service terminated with the following error: Access is denied.

09/04/2012 22:00:29, Error: Service Control Manager [7023] - The Wmdmpmsp service terminated with the following error: Access is denied.

09/04/2012 21:59:29, Error: Service Control Manager [7023] - The CTMSHD service terminated with the following error: Access is denied.

07/04/2012 21:22:21, Error: volsnap [67] - The shadow copy of volume C: being created failed to install.

04/04/2012 13:23:31, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.894.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

04/04/2012 13:05:43, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.

04/04/2012 08:37:02, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{4289FDDE-2EB0-41B2-8EFD-A6CCAAC137A9} because another computer on the network has the same name. The server could not start.

03/04/2012 11:07:19, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.123.894.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8202.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

.

==== End Of File ===========================

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

[skelly99]

Hi - RogueKiller report below - Thanks

RogueKiller V7.3.2 [03/20/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User: STEVE [Admin rights]

Mode: Scan -- Date: 04/12/2012 08:30:43

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (127.0.0.1:8080) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[FAKED] cdrom.sys : c:\windows\system32\drivers\cdrom.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK5055GSX ATA Device +++++

--- User ---

[MBR] d7bcec9e0e7bde54e19bbccb2507edfd

[bSP] 37180356a25983f10719d07715e7a088 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 466938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!