Author Topic: Win32/Sirefef.AC and .AH removal help needed (Read 13537 times)

jimmib · « **on:** March 28, 2012, 06:50:07 AM »

I did a search and followed instructions found in this thread:http://www.computerhope.com/forum/index.php?topic=124946.0
After scanning in safe mode, mbam found 3 infected files. I deleted all. While running mbam in normal mode, Security Essentials detected the Win32/sirefef.AC and .AH several times. After mbam finished, the report showed no malicious items found. I still have the virus. I saved logs if you need them.
Jim

SuperDave · « **Reply #1 on:** March 28, 2012, 12:22:12 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please post whatever logs you have plus these.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.

1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

jimmib · « **Reply #2 on:** March 28, 2012, 02:10:44 PM »

Thanks in advance for your help. I am having a problem with dds. I am running XP service pack 3 and when I double click on it all that happens is a text doc in notepad appears. I even downloaded a second time, same thing.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/28/2012 at 03:24 PM

Application Version : 5.0.1146

Core Rules Database Version : 8392
Trace Rules Database Version: 6204

Scan type : Complete Scan
Total Scan Time : 00:43:00

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 439
Memory threats detected : 0
Registry items scanned : 35421
Registry threats detected : 0
File items scanned : 84648
File threats detected : 59

Adware.Tracking Cookie
   C:\Documents and Settings\User\Cookies\N21SRB1U.txt [ /kontera.com ]
   C:\Documents and Settings\User\Cookies\TQ8TM1AV.txt [ /media6degrees.com ]
   C:\Documents and Settings\User\Cookies\V9MV48VY.txt [ /collective-media.net ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\A0JKJ3P0.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\37V7N00K.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P6L9S8WM.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P7DBU42M.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\W1XYKE1F.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RTNDGURH.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\A5GVVE4P.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EYVZ6X0D.txt [ Cookie:[email protected]/hc/76226072 ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GW52I0S2.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GETBQ0LV.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\UTUTXGVN.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\G29XPXHD.txt [ Cookie:[email protected]/adserving ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\3LF324I3.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5GBK30KZ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VUFAW9GS.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\B7HXIZYS.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XKQDFM4I.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6B4QWQRM.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6RDTCTCK.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\M2R6YHSD.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\27NU7A2L.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4TR4ICPZ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\693ZQ66B.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\86XPT24M.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\9X4ICSDH.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1VCKLN65.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KVNP1HOJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1LJ6T7MY.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\AEUVXLCF.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FCIHX1US.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\35K65PFC.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\00L7KBV0.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8FFMJEQ9.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BRB0X1TG.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8ACJ4XT3.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Z5F7T5LM.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Y71OVT2K.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\S4R4JD53.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GHVKVMW5.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8JLH3ZHG.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5Z86MTHP.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WP2RE605.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SISJUX82.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7B7J57DF.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TJQQK82N.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P5DIP01J.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BR8B0CG5.txt [ Cookie:[email protected]/hc/76226072 ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8Q3GJ09C.txt [ Cookie:[email protected]/click/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\487FXNXP.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\IIGF763W.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ODEKE3AQ.txt [ Cookie:[email protected]/ ]
   cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VG3ELWGQ ]
   media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VG3ELWGQ ]
   mediabrix.hs.llnwd.net [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VG3ELWGQ ]
   objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VG3ELWGQ ]
   secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\VG3ELWGQ ]

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.28.02

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: OWNER-0F70C4740 [administrator]

3/28/2012 6:44:54 AM
mbam-log-2012-03-28 (06-44-54).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311297
Time elapsed: 31 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\ibmsmbus.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\merakpop3.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xaudioservice.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.28.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: OWNER-0F70C4740 [administrator]

3/28/2012 7:25:25 AM
mbam-log-2012-03-28 (07-25-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 312665
Time elapsed: 50 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.28.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: OWNER-0F70C4740 [administrator]

3/28/2012 1:57:25 PM
mbam-log-2012-03-28 (13-57-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 312026
Time elapsed: 30 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\ofcpfwsvc.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\ofcpfwsvc.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

SuperDave · « **Reply #3 on:** March 28, 2012, 07:29:14 PM »

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***********************************************************
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

jimmib · « **Reply #4 on:** March 29, 2012, 06:27:03 AM »

SuperDave, So far so good! Computer seems to be running good and hopefully you have gotten rid of the virus for me. Can't thank you enough, Jim

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
COMODO Internet Security
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
CCleaner
Java(TM) 6 Update 31
Adobe Flash Player 9.0.124.0 Flash Player out of Date!
Mozilla Firefox (3.0.19) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

ComboFix 12-03-29.01 - User 03/29/2012 7:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\WINDOWS
C:\Install.exe
c:\windows\$NtUninstallKB58502$
c:\windows\$NtUninstallKB58502$\2186156817
c:\windows\$NtUninstallKB58502$\2218614971\@
c:\windows\$NtUninstallKB58502$\2218614971\cfg.ini
c:\windows\$NtUninstallKB58502$\2218614971\Desktop.ini
c:\windows\$NtUninstallKB58502$\2218614971\L\uramoocp
c:\windows\$NtUninstallKB58502$\2218614971\U\00000001.@
c:\windows\$NtUninstallKB58502$\2218614971\U\00000002.@
c:\windows\$NtUninstallKB58502$\2218614971\U\00000004.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000000.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000004.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000032.@
c:\windows\$NtUninstallKB58502$\2218614971\version
c:\windows\system32\bszip.dll
c:\windows\system32\CCXPButton.ocx
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\WinSys.exe
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 11:54 . 2008-04-14 04:10   57600   ----a-w-   c:\windows\system32\drivers\redbook.sys
2012-03-28 23:22 . 2012-03-13 23:15   6582328   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\
{2D78DB5F-CAE1-4F70-ACDC-CA3D2199E0CF}\mpengine.dll
2012-03-28 23:05 . 2012-03-28 23:05   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-28 23:05 . 2012-03-28 23:05   --------   d-----w-   c:\program files\Microsoft Security Client
2012-03-28 22:59 . 2012-03-28 22:59   --------   d--h--w-   c:\windows\system32\GroupPolicy
2012-03-28 15:17 . 2012-03-28 15:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-03-28 15:00 . 2012-03-28 15:00   --------   d-----w-   c:\program files\CCleaner
2012-03-28 14:31 . 2012-03-28 14:31   --------   d-----w-   c:\documents and settings\User\Local Settings\Application Data\Comodo
2012-03-28 14:29 . 2012-03-28 17:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\CPA_VA
2012-03-28 14:28 . 2012-03-28 14:28   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2012-03-28 14:25 . 2012-03-28 14:26   --------   d-----w-   c:\program files\Comodo
2012-03-28 14:25 . 2012-03-28 14:25   1700352   ----a-w-   c:\windows\system32\gdiplus.dll
2012-03-12 01:13 . 2012-03-12 01:13   97760   ----a-w-   c:\windows\system32\drivers\inspect.sys
2012-03-12 01:13 . 2012-03-12 01:13   494968   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
2012-03-12 01:13 . 2012-03-12 01:13   31704   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2012-03-12 01:13 . 2012-03-12 01:13   18056   ----a-w-   c:\windows\system32\drivers\cmderd.sys
2012-03-12 01:13 . 2012-03-12 01:13   33984   ----a-w-   c:\windows\system32\cmdcsr.dll
2012-03-12 01:13 . 2012-03-12 01:13   301224   ----a-w-   c:\windows\system32\guard32.dll
2012-03-03 16:35 . 2012-03-03 16:35   --------   d-----w-   c:\program files\Common Files\Java
2012-03-03 16:35 . 2012-03-03 16:35   73728   ----a-w-   c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-03 16:35 . 2010-05-01 11:19   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2012-02-20 13:00 . 2011-05-19 21:03   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-03 23:17   1860096   ----a-w-   c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-02-12 19:21   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 17:01   3072   ------w-   c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-08-08 07:26   139784   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-12 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-04-05 421888]
"nwiz"="nwiz.exe" [2007-11-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-8-9 25214]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2006-9-7 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/11/2012 9:13 PM 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/11/2012 9:13 PM 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 6:27 AM 1052472]
S3 cpuz134;cpuz134;\??\c:\docume~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
HpqRemHid
wanatw
sgeclient
se2Bnd5
pml
savrt
streamloadservice
z525obex
qbreminderflash
scsk4
utscsi
VCIDRV
sonypvs1
addfiltr
nimxdfk
ELmou
navap
XBCD
LMIRfsClientNP
smcservice
{6080a529-897e-4629-a488-aba0c29b635e}
lkcitadelserver
igateway
atiavaiw
amdk8
mcshield
WmiAcpi
ood2000
netmnt
tphdexlgsvc
ZTEusbmdm6k
xfactorae1
aegisp
fcdabus
RMCAST
uclauncherservice
TuneUp.ProgramStatisticsSvc
starwindserviceae
bc_pat_f
U81xobex
rspndr
s7otranx
aslm75
MSMQTriggers
procexp100
regspy
houdiniserver
RTL8023xp
zunenetworksvc
{d31a0762-0ceb-444e-acff-b049a1f6fe91}
netwg311
inorpc
OEM02Afx
websenseuserservice
vzfw
npkcrypt
bridge
zebrceb
Packet
ssdiagn
de_serv
DivisCTP
nlsvc
FileDisk
netw4x32
netsvc
mcontrol
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-03-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1757981266-1972579041-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1757981266-1972579041-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Connection Wizard,ShellNext = hxxp://sitedirector.symantec.com/932743328/?ssdcat=102&v=1&k=0&catb=CategoryInternet&Hv=1&Holang=iso:
ENG&Holoc=iso:USA&Hover=5.1&Hcat=CategoryInternet&P1v=
P2.00&P1sm=10753761&P1sp=10753761&P1sf=10751683&P1lang=EN&P1vid=unknown&P1vtag=0&P1lab=16928786&P1ltp=Retail&P1rem=58
uInternet Settings,ProxyOverride = <local>
Trusted Zone: download.com
TCP: DhcpNameServer = 64.53.59.254 64.35.214.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXPopup.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\8d7luczb.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_PMM_with_IM&search=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{DF95941F-08A5-482C-BEFF-37AEDC791B5F} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-AllMyNotes - c:\program files\AllMyNotes Organizer\AllMyNotes.exe
HKLM-Run-RegWork - c:\program files\RegWork\RegWork.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-29 08:06
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(724)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-03-29 08:11:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 12:11
.
Pre-Run: 300,167,376,896 bytes free
Post-Run: 300,767,735,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4F4A9B5A4AEBBA611DF27C73A1016EB2

SuperDave · « **Reply #5 on:** March 29, 2012, 01:39:01 PM »

You may have noticed this warning in ComboFix: NETSVCS REQUIRES REPAIRS - current entries shown
You should download Fix-It by MS to resolve this issue

Please download and run MS Fix-it from here.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

FireFox::
Trusted Zone: download.com

DDS::
Trusted Zone: download.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this script.

***************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

jimmib · « **Reply #6 on:** March 29, 2012, 06:45:13 PM »

Here ya go Dave. Thanks, Jim

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F7647000
Module End: F7656000
Hidden: Yes

Module Name: \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21B5674C-4A6D-4CC0-B70D-DB098056F090}\MpKsld5fa1b1a.sys
Service Name: MpKsld5fa1b1a
Module Base: F77B7000
Module End: F77BD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B60B5000
Module End: B60CD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79D5000
Module End: F79D7000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: B60ED000
Module End: B60F5000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7A09000
Module End: F7A0B000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: B6330824
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwConnectPort
Address: B632FDD0
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateFile
Address: B633048A
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateKey
Address: B6331062
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSection
Address: B6332C26
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSymbolicLinkObject
Address: B6332FA4
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateThread
Address: B632F7BC
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteKey
Address: B6330A10
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteValueKey
Address: B6330C18
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDuplicateObject
Address: B632F5C2
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateKey
Address: B6331830
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwEnumerateValueKey
Address: B6331A86
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwLoadDriver
Address: B6332658
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwMakeTemporaryObject
Address: B6330098
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenFile
Address: B6330666
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenKey
Address: B6331052
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenProcess
Address: B632F1F0
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenSection
Address: B6330332
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenThread
Address: B632F3F4
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryKey
Address: B6331C94
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryMultipleValueKey
Address: B63320E8
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwQueryValueKey
Address: B6331EA6
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRenameKey
Address: B63315C8
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSecurityObject
Address: B6330E76
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSystemInformation
Address: B6332944
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetValueKey
Address: B6331330
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwShutdownSystem
Address: B6330002
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSystemDebugControl
Address: B633021E
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateProcess
Address: B632FBD2
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateThread
Address: B632F9C0
Driver Base: B6326000
Driver End: B639D000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #7 on:** March 29, 2012, 07:02:32 PM »

How's your computer working now?

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

jimmib · « **Reply #8 on:** March 30, 2012, 05:49:15 AM »

Well Dave, I thought it was gone! Computer seemed to be back to normal, maybe even a little faster response.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=aa9efd306744994ea058e0f581c297fd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-30 11:41:57
# local_time=2012-03-30 07:41:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 71 0 8686989 0 0
# compatibility_mode=5891 16776533 42 87 0 29036641 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=81225
# found=18
# cleaned=18
# scan_time=2346
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1298\A0095061.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1298\A0095075.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0095157.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0095167.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0096167.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0097167.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0097181.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098181.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098195.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098208.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098221.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098234.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1300\A0098243.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1301\A0098261.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1301\A0098523.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1301\A0098540.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1302\A0098559.sys   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{24BE2517-5E78-4A0C-9CEB-B74347752928}\RP1304\A0098635.dll   Win32/Sirefef.DA trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

SuperDave · « **Reply #9 on:** March 30, 2012, 11:30:06 AM »

Ok. We can do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Computer Hope Forum

News:

Author Topic: Win32/Sirefef.AC and .AH removal help needed (Read 13537 times)

jimmib

Win32/Sirefef.AC and .AH removal help needed

SuperDave

Re: Win32/Sirefef.AC and .AH removal help needed

jimmib

Re: Win32/Sirefef.AC and .AH removal help needed

SuperDave

Re: Win32/Sirefef.AC and .AH removal help needed

jimmib

Re: Win32/Sirefef.AC and .AH removal help needed

SuperDave

Re: Win32/Sirefef.AC and .AH removal help needed

jimmib

Re: Win32/Sirefef.AC and .AH removal help needed

SuperDave

Re: Win32/Sirefef.AC and .AH removal help needed

jimmib

Re: Win32/Sirefef.AC and .AH removal help needed

SuperDave

Re: Win32/Sirefef.AC and .AH removal help needed