nervous to attempt csrss.exe removal

[bobjohnson]

I have a spare xp box here that I connect to with windows rdp. Recently I've been using it for website development and that's probably opened me up as a target. I've been running a wampp setup.

Will mbam just delete csrss.exe, do I need to restore it from a .cab or something?

mbam lists:

Memory Processes Detected: 1
C:\WINDOWS\csrss.exe (Trojan.Dropper) -> 1556 -> No action taken.

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\CORBA component broker (Trojan.Dropper) -> No action taken.

Files Detected: 2
C:\WINDOWS\csrss.exe (Trojan.Dropper) -> No action taken.
C:\RECYCLER\S-1-5-21-2740448516-2252687946-3575532517-1007\Dc31.exe (Packer.ModifiedUPX) -> No action taken.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Bob at 12:46:53 on 2013-05-12
#Option Extended Search is enabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2294.1935 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uProxyOverride = 127.0.0.1:9421;<local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [Akamai NetSession Interface] "c:\documents and settings\bob\local settings\application data\akamai\netsession_win.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AuditMode] c:\sysprep\factory.exe -logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{67C15E4A-8252-48E1-94AD-1DF509ADB5DD} : NameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R2 CORBA component broker;CORBA component broker;c:\windows\csrss.exe [2012-9-22 220160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 60 ================
.
2013-05-12 15:59:18 -------- d-----w- c:\windows\SxsCaPendDel
2013-05-12 04:22:07 -------- d-----w- c:\windows\pss
2013-05-12 03:34:46 -------- d-----w- c:\documents and settings\bob\application data\Malwarebytes
2013-05-12 03:34:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-05-12 03:34:30 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-12 03:34:30 -------- d-----w- c:\program files\MAntiV
2013-03-24 20:43:11 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-03-24 20:42:52 131808 ----a-w- c:\documents and settings\all users\application data\microsoft\vcsexpress\10.0\1033\ResourceCache.dll
2013-03-24 18:16:11 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2013-03-24 18:15:55 -------- d-----w- c:\program files\Microsoft Help Viewer
2013-03-24 18:15:20 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2013-03-24 18:15:05 -------- d-----w- c:\program files\Application Verifier
2013-03-24 18:13:19 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2013-03-24 17:47:22 -------- d-----w- c:\documents and settings\all users\application data\regid.1991-06.com.microsoft
2013-03-24 17:47:21 -------- d-----w- c:\documents and settings\all users\application data\Package Cache
2013-03-14 06:50:20 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
.
==================== Find6M  ====================
.
2013-04-18 07:43:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-18 07:43:41 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 18:48:19 15859416 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 12:47:48.28 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/6/2011 9:46:16 PM
System Uptime: 5/12/2013 12:08:08 PM (0 hours ago)
.
Motherboard: Dell Inc.		   |  | 0CG815
Processor:			   Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 6.943 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP691: 4/14/2013 4:30:52 AM - System Checkpoint
RP692: 4/15/2013 12:00:28 AM - Software Distribution Service 3.0
RP693: 4/16/2013 1:32:42 AM - System Checkpoint
RP694: 4/17/2013 1:57:15 AM - System Checkpoint
RP695: 4/18/2013 4:33:16 AM - System Checkpoint
RP696: 4/19/2013 5:33:20 AM - System Checkpoint
RP697: 4/20/2013 5:39:12 AM - System Checkpoint
RP698: 4/21/2013 6:21:23 AM - System Checkpoint
RP699: 4/22/2013 6:22:35 AM - System Checkpoint
RP700: 4/23/2013 6:44:16 AM - System Checkpoint
RP701: 4/24/2013 7:25:33 AM - System Checkpoint
RP702: 4/25/2013 8:22:32 AM - System Checkpoint
RP703: 4/26/2013 9:37:14 AM - System Checkpoint
RP704: 4/27/2013 10:21:27 AM - System Checkpoint
RP705: 4/28/2013 10:47:45 AM - System Checkpoint
RP706: 4/29/2013 11:18:36 AM - System Checkpoint
RP707: 4/30/2013 11:22:46 AM - System Checkpoint
RP708: 5/1/2013 12:02:30 PM - System Checkpoint
RP709: 5/2/2013 1:27:25 PM - System Checkpoint
RP710: 5/3/2013 2:20:44 PM - System Checkpoint
RP711: 5/4/2013 2:22:47 PM - System Checkpoint
RP712: 5/5/2013 3:55:01 PM - System Checkpoint
RP713: 5/6/2013 4:22:37 PM - System Checkpoint
RP714: 5/7/2013 5:22:58 PM - System Checkpoint
RP715: 5/8/2013 5:32:36 PM - System Checkpoint
RP716: 5/9/2013 6:22:54 PM - System Checkpoint
RP717: 5/10/2013 7:22:54 PM - System Checkpoint
RP718: 5/11/2013 7:28:14 PM - System Checkpoint
RP719: 5/12/2013 11:40:49 AM - Removed 2007 Microsoft Office system
RP720: 5/12/2013 11:54:00 AM - Removed Google Earth Plug-in.
RP721: 5/12/2013 11:54:53 AM - Removed Microsoft Office Small Business Connectivity Components
RP722: 5/12/2013 11:55:08 AM - Removed Microsoft Office 2003 Web Components
RP723: 5/12/2013 11:55:23 AM - Removed Microsoft Office 2007 Primary Interop Assemblies
RP724: 5/12/2013 11:56:01 AM - Removed Microsoft SQL Server VSS Writer
RP725: 5/12/2013 11:56:17 AM - Removed Microsoft SQL Server Setup Support Files (English)
RP726: 5/12/2013 11:57:03 AM - Removed Microsoft SQL Server System CLR Types
RP727: 5/12/2013 11:57:53 AM - Removed Microsoft SQL Server Native Client
RP728: 5/12/2013 11:58:38 AM - Removed Microsoft SQL Server 2008 R2 Management Objects
RP729: 5/12/2013 11:59:46 AM - Removed Microsoft SQL Server Compact 3.5 SP2 ENU
RP730: 5/12/2013 12:01:24 PM - Removed Python 2.4.4
RP731: 5/12/2013 12:03:20 PM - Removed Verizon Wireless Software Upgrade Assistant - SAMSUNG (TL-PC).
RP732: 5/12/2013 12:04:28 PM - Removed Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.6)
AiO_Scan
Application Verifier
Audacity 1.3.14 (Unicode)
Blender (remove only)
Debugging Tools for Windows (x86)
FAGGOTlite program
FileZilla Client 3.6.0.2
Frhed 1.6.0
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958655-v2)
Hotfix for Windows XP (KB961118)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
ImgBurn
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
LAME v3.99.3 (for Windows)
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Help Viewer 1.0
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++  Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Visual C++ 6.0 Standard Edition
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio Express 2012 for Windows Desktop - ENU
Microsoft Windows Performance Toolkit
Microsoft Windows SDK .NET Framework Tools (30514)
Microsoft Windows SDK for Visual Studio .NET 4.0 Framework Tools
Microsoft Windows SDK for Windows 7 (7.1)
Microsoft Windows SDK for Windows 7 Common Utilities (30514)
Microsoft Windows SDK for Windows 7 Headers and Libraries (30514)
Microsoft Windows SDK for Windows 7 Samples (30514)
Microsoft Windows SDK for Windows 7 Utilities for Win32 Development (30514)
Microsoft Windows SDK Intellisense and Reference Assemblies (30514)
Microsoft Windows SDK MSHelp (30514)
Microsoft Windows SDK Net Fx Interop Headers And Libraries (30514)
Miranda IM 0.9.23
MSDN Library - Visual Studio 6.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
OpenOffice.org 3.3
Programmer's Notepad 2
PuTTY version 0.60
QFolder
Rcon Unlimited 1.0
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SoundMAX
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.11
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows SDK IntellisenseNFX
Wolfenstein - Enemy Territory
XAMPP 1.8.1
.
==== Event Viewer Messages From Past Week ========
.
5/11/2013 8:24:49 AM, error: Tcpip [4199]  - The system detected an address conflict for IP address 192.168.2.3 with the system having network hardware address 30:14:4A:73:E2:00. Network operations on this system may be disrupted as a result.
5/10/2013 9:43:57 AM, error: TermService [1006]  - The terminal server received large number of incomplete connections.  The system may be under attack.
5/10/2013 7:33:40 AM, error: TermServDevices [1111]  - Driver Microsoft Shared Fax Driver required for printer Fax is unknown. Contact the administrator to install the driver before you log in again.
.
==== End Of File ===========================

can anybody offer some experience with this?

thanks guys.

[Maniac]

Hello bobjohnson and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
  

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
• Put a checkmark beside loaded modules.
  
  
• A reboot will be needed to apply the changes. Do it.
  
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  
• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
• Click the Start Scan button.
  
  
• The scan should take no longer than 2 minutes.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[bobjohnson]

thanks Maniac,

it gave the option for 'quarantine'. Should I do that now?

16:35:59.0531 2888 ============================================================

16:35:59.0531 2888 Scan finished

16:35:59.0531 2888 ============================================================

16:35:59.0562 2880 Detected object count: 2

16:35:59.0562 2880 Actual detected object count: 2

16:37:05.0468 2880 CORBA component broker ( UnsignedFile.Multi.Generic ) - skipped by user

16:37:05.0468 2880 CORBA component broker ( UnsignedFile.Multi.Generic ) - User select action: Skip

16:37:05.0484 2880 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user

16:37:05.0484 2880 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip

16:37:08.0812 2120 Deinitialize success

[Maniac]

No, thanks.

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

• Download on the desktop RogueKiller
  
• Quit all programs
  
• Start RogueKiller.exe
  
• Wait until Prescan has finished ...
  
• Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• RogueKiller log

[bobjohnson]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.05.11.08Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bob :: BOBJF962 [administrator]
5/13/2013 6:11:45 PM
mbam-log-2013-05-13 (18-11-45).txtScan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268098
Time elapsed: 12 minute(s), 53 second(s)
Memory Processes Detected: 1
C:\WINDOWS\csrss.exe (Trojan.Dropper) -> 1460 -> Delete on reboot.Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\CORBA component broker (Trojan.Dropper) -> Quarantined and deleted successfully.Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\WINDOWS\csrss.exe (Trojan.Dropper) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-2740448516-2252687946-3575532517-1007\Dc111.zip (Packer.ModifiedUPX) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2740448516-2252687946-3575532517-1007\Dc112\ETSFacade.exe (Packer.ModifiedUPX) -> Quarantined and deleted successfully.(end)

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Bob [Admin rights]
Mode : Scan -- Date : 05/13/2013 18:36:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1	   localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST340014AS +++++
--- User ---
[MBR] f5ad08f91b4ebb7c4d3a01f9715b97a8
[BSP] 7eced53b7d29a13f4dd3c1324526b7b9 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 38146 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05132013_02d1836.txt >>
RKreport[1]_S_05132013_02d1836.txt

[Maniac]

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[bobjohnson]

ComboFix 13-05-14.01 - Bob 05/14/2013  22:17:34.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2294.1935 [GMT -4:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Application Data\ComUpdatusLog.txt
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-15 to 2013-05-15  )))))))))))))))))))))))))))))))
.
.
2013-05-12 18:06 . 2012-07-27 02:02 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-05-12 15:59 . 2013-05-12 16:08 -------- d-----w- c:\windows\SxsCaPendDel
2013-05-12 03:34 . 2013-05-12 03:34 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2013-05-12 03:34 . 2013-05-12 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-12 03:34 . 2013-05-12 03:34 -------- d-----w- c:\program files\MAntiV
2013-05-12 03:34 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-14 17:48 . 2012-04-16 00:33 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-14 17:48 . 2011-06-08 22:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2009-12-21 18:56 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2009-12-21 18:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2009-12-21 18:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2009-12-21 18:56 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2009-12-21 18:56 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-24 20:44 . 2013-03-24 20:42 131808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2013-03-08 08:36 . 2009-12-21 18:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28 . 2009-12-21 18:56 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 07:56 . 2009-12-21 20:05 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"WZCSVC"=2 (0x2)
"Spooler"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\ET\\ET.exe"=
"c:\\Program Files\\FAGGOTlite\\FAGGOTlite.exe"=
"c:\\fag-pub\\ETDED.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 10:18 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 17:48]
.
2013-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-01 14:43]
.
2013-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-01 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: Interfaces\{67C15E4A-8252-48E1-94AD-1DF509ADB5DD}: NameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-37448196.sys
SafeBoot-47481601.sys
MSConfigStartUp-Akamai NetSession Interface - c:\documents and settings\Bob\Local Settings\Application Data\Akamai\netsession_win.exe
MSConfigStartUp-AuditMode - c:\sysprep\factory.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-14 22:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-05-14  22:24:29
ComboFix-quarantined-files.txt  2013-05-15 02:24
.
Pre-Run: 7,497,031,680 bytes free
Post-Run: 9,769,697,280 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0026B4996D1B1D666A350EB84064319C

[Maniac]

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
    Save it to your Desktop.
    
  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
    

  [*]Check "YES, I accept the Terms of Use."

  [*]Click the Start button.

  [*]Accept any security warnings from your browser.

  [*]Under Scan Settings, check "Scan Archives" and "Remove found threats"

  [*]Click Advanced settings and select the following:

  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology

  [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  [*]When the scan completes, click List Threats

  [*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  [*]Click the Back button.

  [*]Click the Finish button.

[bobjohnson]

C:\Documents and Settings\Bob\My Documents\Downloads\SetupImgBurn_2.5.6.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined

[Maniac]

How are things now?

[bobjohnson]

Thanks Maniac! I think it is pretty good.

should I check with a full scan from mbam, and housecall or something, or is eset sufficient?

Should I do something with, or delete, these quarantine files? do they have any problem in a backup scheme?

[Maniac]

cleaned by deleting - quarantined

It is already deleted.

Now is the time to perform all of the scans you want. Let me know about your results.

[bobjohnson]

I think it's all great Maniac.

I don't find any problems.

Thank you very much kind sir!

very cool of you doing this.

sincerely,

bj

[Maniac]

Glad I could help!

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Next, uninstall ESET Online Scanner.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[bobjohnson]

Excellent!

thank you again Maniac!

[Maniac]

You're welcome!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!