cimthurn Posted December 25, 2012 ID:626744 Share Posted December 25, 2012 Hello folks,Malwarebytes will find and remove UserWLoad but it keeps coming back . . .DDS.txt follows. Below it is Attach.txt------------------------------------------------------------------------------------------DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2Run by Hugh at 19:45:31 on 2012-12-24Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8157.6580 [GMT -8:00].SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Windows\system32\svchost.exe -k apphostC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k ftpsvcC:\Windows\system32\inetsrv\inetinfo.exeC:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exec:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exeC:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exeC:\Program Files\Microsoft SQL Server\MSAS10_50.MSSQLSERVER\OLAP\bin\msmdsrv.exeC:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exec:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdhost.exeC:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXEc:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\system32\svchost.exe -k iissvcsC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\WUDFHost.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Citrix\ICA Client\concentr.exeC:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\wuauclt.exeC:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/uWindows: Load = C:\Users\Hugh\LOCALS~1\Temp\msuqeoppk.pifBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startupuPolicies-Explorer: NoDrives = dword:0mPolicies-Explorer: NoDrives = dword:0mPolicies-System: ConsentPromptBehaviorAdmin = dword:5mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0mPolicies-System: LocalAccountTokenFilterPolicy = dword:1IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllTrusted Zone: localhostDPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cabDPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: NameServer = 192.168.1.1 192.168.1.1TCP: Interfaces\{B7BCD3EF-270C-4A4A-93E2-F7D0CEB1A9D0} : DHCPNameServer = 192.168.1.1 192.168.1.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllSSODL: WebCheck - <orphaned>x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exex64-Run: [skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exex64-Run: [igfxTray] C:\Windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exex64-Run: [Persistence] C:\Windows\System32\igfxpers.exex64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>x64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>.============= SERVICES / DRIVERS ===============.R1 BIOS;BIOS;C:\Windows\System32\drivers\BIOS64.sys [2006-10-30 14136]R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2009-9-8 87600]R1 RsFx0151;RsFx0151 Driver;C:\Windows\System32\drivers\RsFx0151.sys [2011-6-17 313696]R2 ftpsvc;Microsoft FTP Service;C:\Windows\System32\svchost.exe -k ftpsvc [2009-7-13 27136]R2 MsDtsServer100;SQL Server Integration Services 10.0;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-6-17 210784]R2 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2010-4-3 32096]R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-6-17 2180960]R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-5-26 138752]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-1-29 215040]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-4-17 59392]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-17 1255736]S3 WMSVC;Web Management Service;C:\Windows\System32\inetsrv\WMSvc.exe [2009-7-13 10752]S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880].=============== Created Last 30 ================.2012-12-25 00:33:11 -------- d-sh--w- C:\Windows\System32\%APPDATA%2012-12-25 00:27:10 151552 --sha-w- C:\ProgramData\ms145EA3B1.dat2012-12-25 00:27:01 -------- d-----w- C:\Users\Hugh\AppData\Roaming\Suic2012-12-25 00:27:01 -------- d-----w- C:\Users\Hugh\AppData\Roaming\Ruhat2012-12-25 00:27:01 -------- d-----w- C:\Users\Hugh\AppData\Roaming\Huogo2012-12-21 01:20:37 -------- d-----w- C:\ProgramData\Citrix2012-12-21 01:20:26 -------- d-----w- C:\Users\Hugh\AppData\Roaming\ICAClient2012-12-21 01:20:26 -------- d-----w- C:\Users\Hugh\AppData\Local\Citrix2012-12-21 01:20:25 -------- d-----w- C:\Program Files (x86)\Citrix2012-12-08 03:45:53 -------- d--h--w- C:\Windows\AxInstSV.==================== Find3M ====================.2012-12-11 21:51:53 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2012-12-11 21:51:53 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2012-09-30 03:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys.============= FINISH: 19:45:57.37 ===============*************************************************************************************************************************attach.txt follows.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 1/29/2011 8:09:08 PMSystem Uptime: 12/24/2012 7:12:37 PM (0 hours ago).Motherboard: BIOSTAR Group | | G41D3Processor: Pentium® Dual-Core CPU E5500 @ 2.80GHz | CPU 1 | 2816/200mhz.==== Disk Partitions =========================.A: is RemovableC: is FIXED (NTFS) - 931 GiB total, 745.702 GiB free.D: is CDROM ()E: is CDROM ()H: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP146: 10/23/2012 12:00:01 AM - Scheduled CheckpointRP147: 10/31/2012 - Scheduled CheckpointRP148: 11/7/2012 - Scheduled CheckpointRP149: 11/15/2012 - Scheduled CheckpointRP150: 11/22/2012 5:33:14 PM - Scheduled CheckpointRP151: 11/30/2012 12:00:02 AM - Scheduled CheckpointRP152: 12/8/2012 12:03:37 AM - Scheduled CheckpointRP153: 12/16/2012 - Scheduled CheckpointRP154: 12/23/2012 12:00:02 AM - Scheduled Checkpoint.==== Installed Programs ======================.Adobe AIRAdobe Flash Player 11 ActiveXAdobe Reader X (10.1.4)Amazon MP3 Downloader 1.0.17AVS Update Manager 1.0AVS Video Converter 7AVS4YOU Software Navigator 1.4Canon MP Navigator 2.2Canon MP830Citrix online plug-in - webCitrix online plug-in (DV)Citrix online plug-in (HDX)Citrix online plug-in (USB)Citrix online plug-in (Web)ContactsCrystal Reports for Visual StudioD3DX10Definition update for Microsoft Office 2010 (KB982726) 32-Bit EditionDotfuscator Software Services - Community EditionGoogle EarthGoogle Talk PluginGoogle Update HelperHotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2522890)Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2529927)Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2548139)Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2549864)Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2565057)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)Intel® Graphics Media Accelerator DriverJacquie Lawson London Advent CalendarJava 7 Update 7Java Auto UpdaterJavaFX 2.1.1Malwarebytes Anti-Malware version 1.65.1.1000Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft .NET Framework 4 Multi-Targeting PackMicrosoft Application Error ReportingMicrosoft ASP.NET MVC 2Microsoft ASP.NET MVC 2 - Visual Studio 2010 ToolsMicrosoft Baseline Configuration Analyzer 2.0Microsoft Help Viewer 1.1Microsoft Office 2003 Web ComponentsMicrosoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Excel MUI (English) 2010Microsoft Office Office 64-bit Components 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional 2010Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared 64-bit MUI (English) 2010Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Single Image 2010Microsoft Office Word MUI (English) 2010Microsoft Report Viewer Redistributable 2008 (KB971119)Microsoft Report Viewer Redistributable 2008 SP1Microsoft SilverlightMicrosoft Silverlight 3 SDKMicrosoft Silverlight 4 SDKMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft SQL Server 2008 (64-bit)Microsoft SQL Server 2008 Database Engine ServicesMicrosoft SQL Server 2008 R2 (64-bit)Microsoft SQL Server 2008 R2 Books OnlineMicrosoft SQL Server 2008 R2 Data-Tier Application FrameworkMicrosoft SQL Server 2008 R2 Data-Tier Application ProjectMicrosoft SQL Server 2008 R2 Management ObjectsMicrosoft SQL Server 2008 R2 Management Objects (x64)Microsoft SQL Server 2008 R2 Native ClientMicrosoft SQL Server 2008 R2 PoliciesMicrosoft SQL Server 2008 R2 Report Builder 3.0Microsoft SQL Server 2008 R2 RsFx DriverMicrosoft SQL Server 2008 R2 Setup (English)Microsoft SQL Server 2008 R2 Transact-SQL Language ServiceMicrosoft SQL Server 2008 RsFx DriverMicrosoft SQL Server 2008 Setup Support FilesMicrosoft SQL Server 2008R2 Data Engine Administration Scripts RTM Samples (x64)Microsoft SQL Server 2008R2 Reporting Services SR1 Samples (x64)Microsoft SQL Server BrowserMicrosoft SQL Server Compact 3.5 SP2 ENUMicrosoft SQL Server Compact 3.5 SP2 Query Tools ENUMicrosoft SQL Server Compact 3.5 SP2 x64 ENUMicrosoft SQL Server Database Publishing Wizard 1.4Microsoft SQL Server System CLR TypesMicrosoft SQL Server System CLR Types (x64)Microsoft SQL Server VSS WriterMicrosoft Sync Framework Runtime v1.0 SP1 (x64)Microsoft Sync Framework SDK v1.0 SP1Microsoft Sync Framework Services v1.0 SP1 (x64)Microsoft Sync Services for ADO.NET v2.0 SP1 (x64)Microsoft Team Foundation Server 2010 Object Model - ENUMicrosoft Visual C++ Compilers 2010 Standard - enu - x64Microsoft Visual C++ Compilers 2010 Standard - enu - x86Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft Visual C++ 2010 x64 Designtime - 10.0.30319Microsoft Visual C++ 2010 x64 Runtime - 10.0.40219Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219Microsoft Visual F# 2.0 RuntimeMicrosoft Visual Studio 2008 Shell (integrated mode) - ENUMicrosoft Visual Studio 2010 ADO.NET Entity Framework ToolsMicrosoft Visual Studio 2010 Office Developer Tools (x64)Microsoft Visual Studio 2010 Professional - ENUMicrosoft Visual Studio 2010 Service Pack 1Microsoft Visual Studio 2010 SharePoint Developer ToolsMicrosoft Visual Studio 2010 Tools for Office Runtime (x64)Microsoft Visual Studio Macro ToolsMicrosoft Visual Studio Tools for Applications 2.0 - ENUMSVCRTMusicnotes Software Suite 1.5.5NoteWorthy PlayerOctoshape add-in for Adobe Flash PlayerRealtek 8136 8168 8169 Ethernet DriverRealtek High Definition Audio DriverSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2160841)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Extended (KB2416472)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft Excel 2010 (KB2553070)Security Update for Microsoft Office 2010 (KB2553091)Security Update for Microsoft Office 2010 (KB2553096)Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)Service Pack 1 for SQL Server 2008 (KB968369) (64-bit)Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit)SQL Server 2008 R2 Reporting ServicesSQL Server 2008 R2 SP1 Analysis ServicesSQL Server 2008 R2 SP1 BI Development StudioSQL Server 2008 R2 SP1 Client ToolsSQL Server 2008 R2 SP1 Common FilesSQL Server 2008 R2 SP1 Database Engine ServicesSQL Server 2008 R2 SP1 Database Engine SharedSQL Server 2008 R2 SP1 Full text searchSQL Server 2008 R2 SP1 Integration ServicesSQL Server 2008 R2 SP1 Management StudioSQL Server 2008 R2 SP1 Reporting ServicesSql Server Customer Experience Improvement ProgramTranscender Test EngineTranscender: Exam Cert-70-433Transcender: Exam Cert-70-448Transcender: Exam Cert-70-451Typemock Isolator 7.0.7Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2473228)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft Office 2010 (KB2494150)Update for Microsoft Office 2010 (KB2553065)Update for Microsoft Office 2010 (KB2553181) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553310) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2553455) 32-Bit EditionUpdate for Microsoft Office 2010 (KB2566458)Update for Microsoft OneNote 2010 (KB2553290) 32-Bit EditionUpdate for Microsoft Outlook 2010 (KB2553323) 32-Bit EditionUpdate for Microsoft Outlook Social Connector (KB2583935)Visual Studio 2010 Prerequisites - EnglishVisual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENUWCF RIA Services V1.0 SP1Web Deployment ToolWinAVI Video ConverterWindows Live Communications PlatformWindows Live EssentialsWindows Live ID Sign-in AssistantWindows Live InstallerWindows Live Language SelectorWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWindows Movie Maker 2.6Yahoo! Detect.==== Event Viewer Messages From Past Week ========.12/24/2012 7:14:08 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-214702489112/24/2012 7:14:08 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-214702489112/24/2012 7:13:04 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.12/24/2012 7:12:57 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.12/24/2012 7:12:56 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.12/24/2012 7:12:48 PM, Error: Microsoft-Windows-Kernel-Processor-Power [34] - Idle power management features on processor 1 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.12/24/2012 7:12:48 PM, Error: Microsoft-Windows-Kernel-Processor-Power [34] - Idle power management features on processor 0 in group 0 are disabled due to a firmware problem. Check with the computer manufacturer for updated firmware.12/24/2012 7:12:01 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.12/24/2012 7:11:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}12/24/2012 7:11:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}12/24/2012 7:10:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}12/24/2012 7:07:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}12/24/2012 7:07:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}12/24/2012 7:07:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}12/24/2012 7:07:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}12/24/2012 7:07:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}12/24/2012 7:07:45 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}12/24/2012 7:07:37 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BIOS CSC ctxusbm DfsC discache NetBIOS NetBT nsiproxy Psched rdbss RsFx0151 spldr tdx Wanarpv6 WfpLwf ws2ifsl12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.12/24/2012 7:07:37 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.12/23/2012 7:13:49 AM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom1..==== End Of File =========================== Link to post Share on other sites More sharing options...
Maniac Posted December 25, 2012 ID:626785 Share Posted December 25, 2012 Hello cimthurn and ! My name is Maniac and I will be glad to help you solve your malware problem.Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.Please download Malwarebytes Anti-Rootkit from here.Unzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exe ( right click and select Run as adminsistrator for Vista and Windows 7)Follow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Please post the two logs produced. Link to post Share on other sites More sharing options...
cimthurn Posted December 25, 2012 Author ID:626802 Share Posted December 25, 2012 Hello Maniac . . . and Merry Christmas Thanks in advance for your help; below are the two logs produced by running Malwarebytes Anti-Rootkit.I'll wait to hear back from you.Carlsystem-log.txt***************************************************************************************************************************************---------------------------------------Malwarebytes Anti-Rootkit BETA 1.01.0.1011© Malwarebytes Corporation 2011-2012OS version: 6.1.7601 Windows 7 Service Pack 1 x64Account is AdministrativeInternet Explorer version: 8.0.7601.17514File system is: NTFSDisk drives: C:\ DRIVE_FIXEDCPU speed: 2.816000 GHzMemory total: 8553488384, free: 6575149056------------ Kernel report ------------ 12/25/2012 07:12:08------------ Loaded modules -----------\SystemRoot\system32\ntoskrnl.exe\SystemRoot\system32\hal.dll\SystemRoot\system32\kdcom.dll\SystemRoot\system32\mcupdate_GenuineIntel.dll\SystemRoot\system32\PSHED.dll\SystemRoot\system32\CLFS.SYS\SystemRoot\system32\CI.dll\SystemRoot\system32\drivers\Wdf01000.sys\SystemRoot\system32\drivers\WDFLDR.SYS\SystemRoot\system32\drivers\ACPI.sys\SystemRoot\system32\drivers\WMILIB.SYS\SystemRoot\system32\drivers\msisadrv.sys\SystemRoot\system32\drivers\pci.sys\SystemRoot\system32\drivers\vdrvroot.sys\SystemRoot\System32\drivers\partmgr.sys\SystemRoot\system32\drivers\volmgr.sys\SystemRoot\System32\drivers\volmgrx.sys\SystemRoot\system32\drivers\intelide.sys\SystemRoot\system32\drivers\PCIIDEX.SYS\SystemRoot\System32\drivers\mountmgr.sys\SystemRoot\system32\drivers\vmbus.sys\SystemRoot\system32\drivers\winhv.sys\SystemRoot\system32\drivers\atapi.sys\SystemRoot\system32\drivers\ataport.SYS\SystemRoot\system32\drivers\amdxata.sys\SystemRoot\system32\drivers\fltmgr.sys\SystemRoot\system32\drivers\fileinfo.sys\SystemRoot\System32\Drivers\Ntfs.sys\SystemRoot\System32\Drivers\msrpc.sys\SystemRoot\System32\Drivers\ksecdd.sys\SystemRoot\System32\Drivers\cng.sys\SystemRoot\System32\drivers\pcw.sys\SystemRoot\System32\Drivers\Fs_Rec.sys\SystemRoot\system32\drivers\ndis.sys\SystemRoot\system32\drivers\NETIO.SYS\SystemRoot\System32\Drivers\ksecpkg.sys\SystemRoot\System32\drivers\tcpip.sys\SystemRoot\System32\drivers\fwpkclnt.sys\SystemRoot\system32\drivers\vmstorfl.sys\SystemRoot\system32\drivers\volsnap.sys\SystemRoot\System32\Drivers\spldr.sys\SystemRoot\System32\drivers\rdyboost.sys\SystemRoot\System32\Drivers\mup.sys\SystemRoot\System32\drivers\hwpolicy.sys\SystemRoot\System32\DRIVERS\fvevol.sys\SystemRoot\system32\DRIVERS\disk.sys\SystemRoot\system32\DRIVERS\CLASSPNP.SYS\SystemRoot\system32\drivers\cdrom.sys\SystemRoot\system32\DRIVERS\RsFx0151.sys\SystemRoot\System32\Drivers\Null.SYS\SystemRoot\System32\Drivers\Beep.SYS\SystemRoot\System32\drivers\vga.sys\SystemRoot\System32\drivers\VIDEOPRT.SYS\SystemRoot\System32\drivers\watchdog.sys\SystemRoot\System32\DRIVERS\RDPCDD.sys\SystemRoot\system32\drivers\rdpencdd.sys\SystemRoot\system32\drivers\rdprefmp.sys\SystemRoot\System32\Drivers\Msfs.SYS\SystemRoot\System32\Drivers\Npfs.SYS\SystemRoot\system32\DRIVERS\tdx.sys\SystemRoot\system32\DRIVERS\TDI.SYS\SystemRoot\system32\drivers\afd.sys\SystemRoot\System32\DRIVERS\netbt.sys\SystemRoot\system32\drivers\ws2ifsl.sys\SystemRoot\system32\DRIVERS\wfplwf.sys\SystemRoot\system32\DRIVERS\pacer.sys\SystemRoot\system32\DRIVERS\netbios.sys\SystemRoot\system32\DRIVERS\serial.sys\SystemRoot\system32\DRIVERS\wanarp.sys\SystemRoot\system32\drivers\termdd.sys\SystemRoot\system32\DRIVERS\rdbss.sys\SystemRoot\system32\drivers\nsiproxy.sys\SystemRoot\system32\drivers\mssmbios.sys\SystemRoot\System32\drivers\discache.sys\SystemRoot\System32\Drivers\dfsc.sys\SystemRoot\system32\DRIVERS\ctxusbm.sys\SystemRoot\system32\drivers\csc.sys\SystemRoot\system32\DRIVERS\blbdrive.sys\??\C:\Windows\system32\drivers\BIOS64.sys\SystemRoot\system32\DRIVERS\tunnel.sys\SystemRoot\system32\DRIVERS\intelppm.sys\SystemRoot\system32\DRIVERS\igdkmd64.sys\SystemRoot\System32\drivers\dxgkrnl.sys\SystemRoot\System32\drivers\dxgmms1.sys\SystemRoot\system32\drivers\HDAudBus.sys\SystemRoot\system32\DRIVERS\Rt64win7.sys\SystemRoot\system32\DRIVERS\usbuhci.sys\SystemRoot\system32\DRIVERS\USBPORT.SYS\SystemRoot\system32\DRIVERS\usbehci.sys\SystemRoot\system32\DRIVERS\serenum.sys\SystemRoot\system32\DRIVERS\fdc.sys\SystemRoot\system32\DRIVERS\parport.sys\SystemRoot\system32\drivers\i8042prt.sys\SystemRoot\system32\drivers\kbdclass.sys\SystemRoot\system32\drivers\CompositeBus.sys\SystemRoot\system32\DRIVERS\AgileVpn.sys\SystemRoot\system32\DRIVERS\rasl2tp.sys\SystemRoot\system32\DRIVERS\ndistapi.sys\SystemRoot\system32\DRIVERS\ndiswan.sys\SystemRoot\system32\DRIVERS\raspppoe.sys\SystemRoot\system32\DRIVERS\raspptp.sys\SystemRoot\system32\DRIVERS\rassstp.sys\SystemRoot\system32\DRIVERS\rdpbus.sys\SystemRoot\system32\DRIVERS\mouclass.sys\SystemRoot\system32\drivers\swenum.sys\SystemRoot\system32\drivers\ks.sys\SystemRoot\system32\drivers\umbus.sys\SystemRoot\system32\DRIVERS\usbhub.sys\SystemRoot\system32\DRIVERS\flpydisk.sys\SystemRoot\System32\Drivers\NDProxy.SYS\SystemRoot\system32\drivers\IntcHdmi.sys\SystemRoot\system32\drivers\portcls.sys\SystemRoot\system32\drivers\drmk.sys\SystemRoot\system32\drivers\ksthunk.sys\SystemRoot\system32\drivers\RTKVHD64.sys\SystemRoot\System32\win32k.sys\SystemRoot\System32\drivers\Dxapi.sys\SystemRoot\System32\Drivers\crashdmp.sys\SystemRoot\System32\Drivers\dump_dumpata.sys\SystemRoot\System32\Drivers\dump_atapi.sys\SystemRoot\System32\Drivers\dump_dumpfve.sys\SystemRoot\system32\DRIVERS\usbccgp.sys\SystemRoot\system32\DRIVERS\USBD.SYS\SystemRoot\system32\DRIVERS\usbscan.sys\SystemRoot\system32\DRIVERS\usbprint.sys\SystemRoot\system32\DRIVERS\USBSTOR.SYS\SystemRoot\system32\DRIVERS\hidusb.sys\SystemRoot\system32\DRIVERS\HIDCLASS.SYS\SystemRoot\system32\DRIVERS\HIDPARSE.SYS\SystemRoot\system32\DRIVERS\mouhid.sys\SystemRoot\system32\DRIVERS\monitor.sys\SystemRoot\System32\TSDDD.dll\SystemRoot\System32\cdd.dll\SystemRoot\system32\drivers\luafv.sys\SystemRoot\system32\drivers\WudfPf.sys\SystemRoot\system32\DRIVERS\lltdio.sys\SystemRoot\system32\DRIVERS\rspndr.sys\SystemRoot\system32\drivers\HTTP.sys\SystemRoot\System32\DRIVERS\srvnet.sys\SystemRoot\system32\DRIVERS\bowser.sys\SystemRoot\system32\DRIVERS\mrxsmb.sys\SystemRoot\system32\DRIVERS\mrxsmb10.sys\SystemRoot\system32\DRIVERS\mrxsmb20.sys\SystemRoot\System32\DRIVERS\srv2.sys\SystemRoot\System32\DRIVERS\srv.sys\SystemRoot\system32\drivers\peauth.sys\SystemRoot\System32\Drivers\secdrv.SYS\SystemRoot\System32\drivers\tcpipreg.sys\SystemRoot\system32\DRIVERS\WUDFRd.sys\SystemRoot\system32\DRIVERS\asyncmac.sys\??\C:\Windows\system32\drivers\mbamchameleon.sys\??\C:\Windows\system32\drivers\mbamswissarmy.sys\Windows\System32\ntdll.dll\Windows\System32\smss.exe\Windows\System32\apisetschema.dll\Windows\System32\autochk.exe\Windows\System32\shell32.dll\Windows\System32\Wldap32.dll\Windows\System32\gdi32.dll\Windows\System32\imm32.dll\Windows\System32\imagehlp.dll\Windows\System32\user32.dll\Windows\System32\msvcrt.dll\Windows\System32\shlwapi.dll\Windows\System32\urlmon.dll\Windows\System32\difxapi.dll\Windows\System32\psapi.dll\Windows\System32\nsi.dll\Windows\System32\wininet.dll\Windows\System32\kernel32.dll\Windows\System32\oleaut32.dll\Windows\System32\setupapi.dll\Windows\System32\clbcatq.dll\Windows\System32\sechost.dll\Windows\System32\lpk.dll\Windows\System32\iertutil.dll\Windows\System32\rpcrt4.dll\Windows\System32\ole32.dll\Windows\System32\ws2_32.dll\Windows\System32\advapi32.dll\Windows\System32\usp10.dll\Windows\System32\msctf.dll\Windows\System32\normaliz.dll\Windows\System32\comdlg32.dll\Windows\System32\cfgmgr32.dll\Windows\System32\wintrust.dll\Windows\System32\devobj.dll\Windows\System32\comctl32.dll\Windows\System32\KernelBase.dll\Windows\System32\crypt32.dll\Windows\System32\msasn1.dll\Windows\SysWOW64\normaliz.dll----------- End -----------<<<1>>>Upper Device Name: \Device\Harddisk1\DR1Upper Device Object: 0xfffffa800869a060Upper Device Driver Name: \Driver\Disk\Lower Device Name: \Device\0000006f\Lower Device Object: 0xfffffa8008e1ab60Lower Device Driver Name: \Driver\USBSTOR\Driver name found: USBSTORDriverEntry returned 0x0Function returned 0x0<<<1>>>Upper Device Name: \Device\Harddisk0\DR0Upper Device Object: 0xfffffa8007c89740Upper Device Driver Name: \Driver\Disk\Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-3\Lower Device Object: 0xfffffa800771b060Lower Device Driver Name: \Driver\atapi\Driver name found: atapiDriverEntry returned 0x0Function returned 0x0Downloaded database version: v2012.12.25.07Initializing...Done!<<<2>>>Device number: 0, partition: 2Physical Sector Size: 512Drive: 0, DevicePointer: 0xfffffa8007c89740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\--------- Disk Stack ------DevicePointer: 0xfffffa8007c89270, DeviceName: Unknown, DriverName: \Driver\partmgr\DevicePointer: 0xfffffa8007c89740, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\DevicePointer: 0xfffffa800771f550, DeviceName: Unknown, DriverName: \Driver\ACPI\DevicePointer: 0xfffffa800771b060, DeviceName: \Device\Ide\IdeDeviceP2T0L0-3\, DriverName: \Driver\atapi\------------ End ----------Upper DeviceData: 0xfffff8a012b85760, 0xfffffa8007c89740, 0xfffffa800ac92790Lower DeviceData: 0xfffff8a004cf2cf0, 0xfffffa800771b060, 0xfffffa800ad5b090<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesScanning directory: C:\Windows\system32\drivers...Done!Drive 0Scanning MBR on drive 0...Inspecting partition table:MBR Signature: 55AADisk Signature: AB69FA20Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 204800 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 206848 Numsec = 1953314816 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0Disk Size: 1000204886016 bytesSector size: 512 bytesScanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...Physical Sector Size: 0Drive: 1, DevicePointer: 0xfffffa800869a060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\--------- Disk Stack ------DevicePointer: 0xfffffa800869ab90, DeviceName: Unknown, DriverName: \Driver\partmgr\DevicePointer: 0xfffffa800869a060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\DevicePointer: 0xfffffa8008e1ab60, DeviceName: \Device\0000006f\, DriverName: \Driver\USBSTOR\------------ End ----------Done!Performing system, memory and registry scan...Infected: C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\@ --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\@ --> [Trojan.Siredef.C]Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [PUM.UserWLoad]Infected: C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\U --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\U --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\L --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\L --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763 --> [Trojan.Siredef.C]Infected: C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763 --> [Trojan.Siredef.C]Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Trojan.0Access]Infected: HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| --> [Trojan.0Access]Infected: HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| --> [Hijack.Trojan.Siredef.C]Done!Scan finishedCreating System Restore point...Scheduling clean up...<<<2>>>Device number: 0, partition: 2<<<3>>>Volume: C:File system type: NTFSSectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytesRemoval scheduling successful. System shutdown needed.System shutdown occurred=======================================---------------------------------------Malwarebytes Anti-Rootkit BETA 1.01.0.1011© Malwarebytes Corporation 2011-2012OS version: 6.1.7601 Windows 7 Service Pack 1 x64Account is AdministrativeInternet Explorer version: 8.0.7601.17514File system is: NTFSDisk drives: C:\ DRIVE_FIXEDCPU speed: 2.816000 GHzMemory total: 8553488384, free: 6731825152************************************************************************************************************************************************mbar-log-2012-12-25 (07-18-42).txt************************************************************************************************************************************************Malwarebytes Anti-Rootkit 1.01.0.1011www.malwarebytes.orgDatabase version: v2012.12.25.07Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514Hugh :: DESKTOP-1 [administrator]12/25/2012 7:18:42 AMmbar-log-2012-12-25 (07-18-42).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 32052Time elapsed: 5 minute(s), 2 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 1HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.Registry Values Detected: 1HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load (PUM.UserWLoad) -> Data: C:\Users\Hugh\LOCALS~1\Temp\msuqeoppk.pif -> Delete on reboot.Registry Data Items Detected: 3HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\n.) Good: (shell32.dll) -> Delete on reboot.HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$02166393277421950eb8f81276d26763\n.) Good: (fastprox.dll) -> Delete on reboot.HKLM\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32| (Hijack.Trojan.Siredef.C) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$02166393277421950eb8f81276d26763\n.) Good: (%systemroot%\system32\wbem\fastprox.dll) -> Delete on reboot.Folders Detected: 6C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\U (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\U (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\L (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\L (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763 (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763 (Trojan.Siredef.C) -> Delete on reboot.Files Detected: 2C:\$RECYCLE.BIN\S-1-5-18\$02166393277421950eb8f81276d26763\@ (Trojan.Siredef.C) -> Delete on reboot.C:\$RECYCLE.BIN\S-1-5-21-4069400829-1078425106-944951986-1001\$02166393277421950eb8f81276d26763\@ (Trojan.Siredef.C) -> Delete on reboot.(end) Link to post Share on other sites More sharing options...
Maniac Posted December 31, 2012 ID:628810 Share Posted December 31, 2012 Very good! Please post a new fresh DDS log file. Link to post Share on other sites More sharing options...
LDTate Posted January 5, 2013 ID:630632 Share Posted January 5, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts