Sirefef.ac hits again

rollointrouble · April 25, 2012

Evening.

I've infected my wifes computer with Sirefef.ac. Originally the problem started with the download of the Smart Fortress 2012 scam (a bogus LinkedIn connection request email from a known collegue - I was fooled), for which I used Malwarebytes to remove (all fine there). However it was apparent that there was still a problem and MS Security Essential identified sirefef.ac as the culprite. However, can I get rid of it? No.

Reading this thread: http://forums.malwarebytes.org/index.php?showtopic=108542&st=0&p=543153&hl=sirefef&fromsearch=1entry543153 I see I am not alone. Some solice in that, but not much, but I see that it's possible at least....I really hope that some one can help.

Below is the DDS.txt, followed by the RougeKiller report.

***

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31

Run by K Burrough at 21:52:15 on 2012-04-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.296 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\K Burrough\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uWindow Title = Windows Internet Explorer provided by MSN & Bing

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [<NO NAME>]

mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe

mRun: [batteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe

mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [MJPEGDecompressor] rundll32.exe "c:\program files\common files\mjpeg\MJPEGDecompressor.dll",wmain

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\kburro~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\k burrough\application data\dropbox\bin\Dropbox.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250882430609

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\k burrough\application data\mozilla\firefox\profiles\zr152s5h.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKsl3b3769ac;MpKsl3b3769ac;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f599d6c0-6e56-4290-89a4-08293fc376c0}\MpKsl3b3769ac.sys [2012-4-25 29904]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-4-2 4300]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-25 654408]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-25 22344]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-4-2 238464]

S1 nwyrnnup;nwyrnnup;c:\windows\system32\drivers\nwyrnnup.sys [2012-4-25 42960]

S2 axinstsv;Mqdmbus;c:\windows\system32\svchost.exe -k netsvcs [2009-4-2 14336]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-14 253088]

S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-2 19840]

.

=============== Created Last 30 ================

.

2012-04-25 20:49:25 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f599d6c0-6e56-4290-89a4-08293fc376c0}\MpKsl3b3769ac.sys

2012-04-25 19:47:05 42960 ----a-w- c:\windows\system32\drivers\nwyrnnup.sys

2012-04-25 19:45:57 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f599d6c0-6e56-4290-89a4-08293fc376c0}\offreg.dll

2012-04-25 15:13:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-25 14:14:41 -------- d-----w- c:\documents and settings\k burrough\application data\Malwarebytes

2012-04-25 14:14:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-25 14:14:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-25 14:14:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-25 13:53:05 883616 ----a-w- C:\FixExec.com

2012-04-25 12:14:41 84480 ----a-w- c:\documents and settings\all users\application data\4ayf4GXl.exe

2012-04-25 08:04:39 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-04-25 08:03:02 -------- d-----w- c:\program files\common files\MJPEG

2012-04-25 08:02:47 -------- d-----w- c:\documents and settings\all users\application data\F4D55F02010CC833013E7290D151FC84

2012-04-20 08:34:02 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f599d6c0-6e56-4290-89a4-08293fc376c0}\mpengine.dll

2012-04-14 10:09:30 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-04-14 09:36:38 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-04-25 15:12:54 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-20 18:20:42 59 ---ha-w- c:\windows\wpd99.drv

2012-04-14 10:09:48 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 09:08:57 361394 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2012-03-22 19:12:12 4435968 ---ha-w- c:\windows\system32\GPhotos.scr

2011-10-03 20:12:59 9925160 ----a-w- c:\program files\common files\lpuninstall.exe

.

============= FINISH: 21:53:23.62 ===============

***Rouge Killer Report***

RogueKiller V7.3.3 [04/22/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: K Burrough [Admin rights]

Mode: Scan -- Date: 04/25/2012 21:58:16

¤¤¤ Bad processes: 3 ¤¤¤

[sUSP PATH] 4ayf4GXl.exe -- C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 51 ¤¤¤

[bLACKLIST DLL] HKLM\[...]\Run : MJPEGDecompressor (rundll32.exe "C:\Program Files\Common Files\MJPEG\MJPEGDecompressor.dll",wmain) -> FOUND

[sUSP PATH] At16.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At15.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At14.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At13.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At12.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At11.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At10.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At1.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At25.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At24.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At23.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At22.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At21.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At20.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At2.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At19.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At18.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At17.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At34.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At33.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At32.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At31.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At30.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At3.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At29.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At28.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At27.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At26.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At43.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At42.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At41.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At40.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At4.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At39.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At38.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At37.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At36.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At35.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At9.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At8.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At7.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At6.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At5.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe -> FOUND

[sUSP PATH] At48.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At47.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At46.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At45.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[sUSP PATH] At44.job @ : C:\Documents and Settings\All Users\Application Data\4ayf4GXl.exe_ -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

IRP[iRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

IRP[iRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

IRP[iRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

IRP[iRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

IRP[iRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF76A4B40)

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 www.100888290cs.com

127.0.0.1 100888290cs.com

127.0.0.1 100sexlinks.com

127.0.0.1 www.100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HM160HI +++++

--- User ---

[MBR] f69901607d8791fd176c05737215ed3e

[bSP] 1259ef3a584ee3086ec59dfabc48ab57 : KIWI Image system MBR Code

Partition table:

0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 6149 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 12594960 | Size: 72749 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161585152 | Size: 73727 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

***end

Many thanks for any help you can give.

Elise · April 26, 2012

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before continuing, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

rollointrouble · April 26, 2012

Hi Elise. Many thanks for your response. "Holy Cow" comes to mind as a response. This is bad news. I will not be taking any chances with this and have decided to reformat the disk (might take the opportunity to replace Windows with Ubuntu). However in order to take a full back-up I'm keen to have a go at cleaning the machine as much as possible. While the data is 'safe' (in that it's sitting on a disk partition) I still need to extract emails/addresses/etc on to an external hard-disk and I don't want to risk carrying any infection over (is that possible - any tips on minimising contamination?)

Thanks again.

Below is the ComboFix.txt report:

ComboFix 12-04-26.01 - K Burrough 26/04/2012 14:14:37.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.690 [GMT 1:00]

Running from: c:\documents and settings\K Burrough\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\4ayf4GXl.exe

c:\program files\Common Files\MJPEG\MJPEGDecompressor.dll

c:\windows\$NtUninstallKB27408$\1163462688

c:\windows\$NtUninstallKB27408$\2832909258\@

c:\windows\$NtUninstallKB27408$\2832909258\cfg.ini

c:\windows\$NtUninstallKB27408$\2832909258\Desktop.ini

c:\windows\$NtUninstallKB27408$\2832909258\L\zdmptpip

c:\windows\$NtUninstallKB27408$\2832909258\oemid

c:\windows\$NtUninstallKB27408$\2832909258\U\00000001.@

c:\windows\$NtUninstallKB27408$\2832909258\U\00000002.@

c:\windows\$NtUninstallKB27408$\2832909258\U\00000004.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000000.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000004.@

c:\windows\$NtUninstallKB27408$\2832909258\U\80000032.@

c:\windows\$NtUninstallKB27408$\2832909258\version

c:\windows\system32\dds_trash_log.cmd

c:\windows\Tasks\At1.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\$NtUninstallKB27408$ . . . . Failed to delete

.

((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))

.

2012-04-25 20:57 . 2012-04-25 20:57 13824 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-04-25 15:13 . 2012-04-25 15:12 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-25 14:14 . 2012-04-25 14:14 -------- d-----w- c:\documents and settings\K Burrough\Application Data\Malwarebytes

2012-04-25 14:14 . 2012-04-25 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-04-25 14:14 . 2012-04-25 14:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-25 14:14 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-25 13:53 . 2012-04-25 13:51 883616 ----a-w- C:\FixExec.com

2012-04-25 12:15 . 2012-04-25 12:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2012-04-25 08:03 . 2012-04-26 13:21 -------- d-----w- c:\program files\Common Files\MJPEG

2012-04-25 08:02 . 2012-04-25 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F02010CC833013E7290D151FC84

2012-04-20 08:34 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F599D6C0-6E56-4290-89A4-08293FC376C0}\mpengine.dll

2012-04-14 10:09 . 2012-04-14 10:09 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-04-14 09:36 . 2012-04-14 10:09 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-25 15:12 . 2010-10-14 10:55 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-14 10:09 . 2011-09-09 09:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 09:08 . 2011-11-02 15:08 361394 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2012-03-22 19:12 . 2012-03-22 19:12 4435968 ---ha-w- c:\windows\system32\GPhotos.scr

2012-03-14 02:15 . 2010-08-28 12:44 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-02-08 06:03 . 2012-03-22 08:25 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-10-03 20:12 . 2011-10-03 20:12 9925160 ----a-w- c:\program files\Common Files\lpuninstall.exe

2012-03-20 09:57 . 2011-10-22 07:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\K Burrough\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\K Burrough\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\K Burrough\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\K Burrough\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]

"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\K Burrough\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\K Burrough\Application Data\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\K Burrough\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21/08/2009 19:31 721904]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [02/04/2009 02:59 4300]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/04/2012 15:14 654408]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 04:01 30208]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/04/2012 15:14 22344]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [02/04/2009 03:03 238464]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [14/04/2012 10:36 253088]

S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [02/08/2006 00:57 19840]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

TPECioCtl

mcontrol

pdlnecfg

winvnc

oracleorahomeagent

AmdIde

qbfcservice

rppkt

se58obex

rnadiagnosticsservice

kerbkey

ati

processor

merakpop3

axinstsv

sonypvs1

nicser_wmp11

Atmuni

milshieldcleaner

oraclemtsrecoveryservice

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 10:09]

.

2012-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

2012-04-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\K Burrough\Application Data\Mozilla\Firefox\Profiles\zr152s5h.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-MJPEGDecompressor - c:\program files\Common Files\MJPEG\MJPEGDecompressor.dll

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-26 14:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,bd,67,fe,44,bd,c1,4e,b6,c7,8c,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,bd,67,fe,44,bd,c1,4e,b6,c7,8c,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2412)

c:\windows\system32\WININET.dll

c:\documents and settings\K Burrough\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Samsung\Samsung Update Plus\SLUBackgroundService.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\program files\Samsung\Easy Display Manager\dmhkcore.exe

c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe

c:\program files\SAMSUNG\MagicKBD\PerformanceManager.exe

c:\windows\system32\igfxext.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2012-04-26 14:36:37 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-26 13:36

.

Pre-Run: 46,243,504,128 bytes free

Post-Run: 47,167,705,088 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - B79EA16A305024A37D54C4C1165E4CB7

Elise · April 26, 2012

Hi again, its indeed best to clean up first if you need to back up data. Its also good to clean (reformat) flash drives, although I didn't see any autorun infection.

Can you please rerun combofix and post me the new log. I need to see if certain entries are getting recreated.

rollointrouble · April 26, 2012

second ComboFix.txt report:

ComboFix 12-04-26.01 - K Burrough 26/04/2012 15:39:38.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.686 [GMT 1:00]

Running from: c:\documents and settings\K Burrough\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))

.

2012-04-26 13:37 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3AA4E39-26CD-4A78-B6A9-DE8950397C7F}\mpengine.dll