Author Topic: No Internet Access after virus removal :( (Read 36350 times)

nasroo7 · « **on:** January 06, 2012, 04:56:03 PM »

Hello!

First, thank you a lot for being here!
My friend got infected by a virus. All Exe files were not working anymore (telling me to choose a program to open with).

So, what I did was:
- Ran "ExeFix.reg" that I found online. (I put it on the next reply, to explain what is it) > Exe were working again.
- Ran "FixNCR.reg" that I saw in a newspaper.
- Ran "RKill" (no process was stopped)
- Malwarebytes "Full scan" > 20 Threads (I know I'm bad, but I don't have the log anymore) (I remember: Virus:Win32/Sirefef.N and Rogue:Win32/FakeRean)
- Super Antispyware "Full scan" (as described in "Read this before requesting malware removal help") > 201 Adwares
- Microsoft Security Essentials "Full scan" > No threads
- AVP Tool by Kaspersky (As described by "SuperDave" in another topic) > 5 threads (While it was scanning, Microsoft Security Essentials was blocking "Virus:Win32/Sirefef.N and Rogue:Win32/FakeRean")
- TdsKiller > No threads
- SpyBot > no threads
- CCleaner

At that point, I ran Again Malwarebytes, SuperAntiSpyware and Microsoft Security Essentials (Full scans in Safe mode, and Regular mode), No threads detected anymore.

(all of that took me like 5 days)

Now, Internet was working, and no sign of Viruses.
But Windows Updates wasn't working (iexplorer cannot display the web page)
And the Security Center was turned OFF.

- I found online "http://support.microsoft.com/kb/883614"
I did it. didn't solve the problem

I ran LSPFix ... found some issues... clicked on Fix. But now There is NO internet at ALL. (I ran LSPFix, because one time I wasn't able to access Internet and "SuperDave" told me to use it. =P ) but i didn't have to do it this time I guess...?

So, I tried to reset all Iexplorer settings in "Reset Defult" it doesn't solve the problem.
There is no PROXY, and everything is on "Detect Automatically... IP, DNS..."
I tried to activate the firewall, it tells me that it cannot start "Connection Sharing ICS service"
I tried to start Automatic Updates service, but it tells me "It had to stop, because it has no action to take.

I know that you suggest that we have to start by asking you first. But I wanted to do it by myself.
And I know that you do it for free, so I don't want to bother you every time I'm on a computer.

I ran all again
I don't have all the logs, because after I ran Malwarebytes, I deleted it. And same thing with all the other virus removals softwares. Except for Microsoft Security Essentials.

So, I ran DDS, Hijack This, and ComboFix (commy) as described by "SuperDave" in another post.
Here is the Logs.

I know that maybe you cannot help me since I didn't start everything with you... But If you can do something, that would be great.

Here is all the logs. And tell me if there is something you can do for me or not :s

So basically, now:
In Network Connections: It's "Limited or no connectivity" (Computer is plugged to Ethernet > I plugged the same Ethernet cable to my laptop, and it's working)
No Internet at all

Put an internal PCI Ethernet Card into the desktop... But same thing.
Everything in Device Manager looks fine.

nasroo7 · « **Reply #1 on:** January 06, 2012, 04:57:22 PM »

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:12:13 PM, on 1/6/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Annette\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251588442812
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

--
End of file - 6195 bytes

nasroo7 · « **Reply #2 on:** January 06, 2012, 04:57:45 PM »

DDS log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/3/2009 11:40:05 AM
System Uptime: 1/6/2012 4:45:11 PM (1 hours ago)
.
Motherboard: BIOSTAR Group | | N61PB-M2S
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2712/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 117.432 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 1/5/2012 2:37:43 PM - System Checkpoint
RP2: 1/6/2012 2:10:33 PM - Restore Operation
RP3: 1/6/2012 2:53:25 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Advertising Center
Critical Update for Windows Media Player 11 (KB959772)
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImagXpress
Java Auto Updater
Java(TM) 6 Update 30
Juice 2.2
Knoll Light Factory EZ Studio
Media Converter for Philips
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2000 Premium
Microsoft Security Client
Microsoft Security Essentials
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Napster
Napster Burn Engine
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
NVIDIA Control Panel 275.33
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
NVIDIA Update 1.3.5
NVIDIA Update Components
Pinnacle Creative Pack Volume 2
Pinnacle Studio 14
Pinnacle Studio Ultimate Plugins
Pinnacle Video Driver
Realtek High Definition Audio Driver
Red Giant ToonIt Studio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0 MUI pack
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Detect
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)
.
==== Event Viewer Messages From Past Week ========
.
1/4/2012 2:24:36 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/3/2012 9:14:00 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
1/3/2012 8:58:35 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Update Server    Update Stage: Search    Source Path: Default URL    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\SYSTEM    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070424    Error description: The specified service does not exist as an installed service.
1/3/2012 8:56:04 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP173\A0047464.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.1674.0, AS: 1.117.1674.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/3/2012 7:56:40 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP173\A0047464.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.1674.0, AS: 1.117.1674.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/3/2012 6:52:31 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072ee7    Error description: The server name or address could not be resolved
1/3/2012 6:52:31 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072ee7    Error description: The server name or address could not be resolved
1/3/2012 6:52:31 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072ee7    Error description: The server name or address could not be resolved
1/3/2012 6:52:31 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072ee7    Error description: The server name or address could not be resolved
1/3/2012 6:52:30 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Update Server    Update Stage: Search    Source Path: Default URL    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\SYSTEM    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070424    Error description: The specified service does not exist as an installed service.
1/3/2012 6:30:18 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072efd    Error description: A connection with the server could not be established
1/3/2012 6:30:18 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072efd    Error description: A connection with the server could not be established
1/3/2012 6:30:18 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072efd    Error description: A connection with the server could not be established
1/3/2012 6:30:18 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Malware Protection Center    Update Stage: Search    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.1674.0&asdelta=1.117.1674.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80072efd    Error description: A connection with the server could not be established
1/3/2012 6:30:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/3/2012 6:30:13 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.1674.0    Update Source: Microsoft Update Server    Update Stage: Search    Source Path: Default URL    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\SYSTEM    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070424    Error description: The specified service does not exist as an installed service.
.
==== End Of File ===========================

nasroo7 · « **Reply #3 on:** January 06, 2012, 04:58:10 PM »

Dds log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Annette at 17:58:57 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1124 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Alcmtr] ALCMTR.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251588442812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-8-3 13696]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl2e6c0200;MpKsl2e6c0200;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl2e6c0200.sys [2012-1-6 29904]
S1 MpKsl607219cb;MpKsl607219cb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\mpksl607219cb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl607219cb.sys [?]
S1 MpKslcf261482;MpKslcf261482;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{81a36ea3-d5b6-4b81-9e48-f2179236a830}\mpkslcf261482.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{81a36ea3-d5b6-4b81-9e48-f2179236a830}\MpKslcf261482.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-12 2214504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-06 21:45:38   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl2e6c0200.sys
2012-01-06 21:45:33   56200   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\offreg.dll
2012-01-06 19:55:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2012-01-06 19:55:31   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2012-01-06 19:54:02   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2012-01-06 19:54:02   --------   d-----w-   c:\windows\system32\wbem\Repository
2012-01-06 19:12:12   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-01-06 18:55:05   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-01-06 15:13:42   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKslf611ffdd.sys
2012-01-06 15:12:33   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-01-06 15:12:33   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-01-06 15:12:31   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-01-06 15:12:31   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-01-05 23:39:39   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl2f6e07b0.sys
2012-01-05 23:36:42   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl8870e3ef.sys
2012-01-05 23:30:26   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKslb4b1b8de.sys
2012-01-05 23:29:39   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl0a986efc.sys
2012-01-05 19:47:01   --------   d-----w-   c:\documents and settings\annette\local settings\application data\PCHealth
2012-01-05 15:41:35   --------   dc----w-   c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-05 15:41:24   --------   d-----w-   c:\program files\Spybot - Search & Destroy 2
2012-01-05 01:21:33   --------   dc----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-04 22:06:29   --------   d-----w-   c:\documents and settings\annette\application data\Malwarebytes
2012-01-04 02:04:21   --------   d-----w-   c:\windows\pss
2012-01-04 01:58:50   6823496   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\mpengine.dll
2012-01-03 23:40:54   --------   dc----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-01-03 23:40:50   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-12-23 22:36:21   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2011-12-23 22:36:21   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
.
==================== Find3M ====================
.
2011-12-15 01:15:15   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-15 19:29:56   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-10 10:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ----a-w-   c:\windows\system32\html.iec
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-10-10 14:22:41   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
============= FINISH: 17:59:58.84 ===============

nasroo7 · « **Reply #4 on:** January 06, 2012, 05:00:56 PM »

I know that you already knows it, but to make sure if I had a good one or not :s
ExeFix.reg

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

nasroo7 · « **Reply #5 on:** January 06, 2012, 05:02:01 PM »

Here is FixNCR.reg

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.exe\shell]

[-HKEY_CLASSES_ROOT\.exe\DefaultIcon]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"

[HKEY_CLASSES_ROOT\exefile]
"Content Type"=-

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
"IsolatedCommand"=-

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_CURRENT_USER\SOFTWARE\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\exefile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\pezfile]

[-HKEY_CURRENT_USER\Software\Classes\pezfile]

[-HKEY_CLASSES_ROOT\sezfile]

[-HKEY_CURRENT_USER\Software\Classes\sezfile]

[-HKEY_CLASSES_ROOT\ah]

[-HKEY_CURRENT_USER\Software\Classes\ah]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="iexplore.exe"

nasroo7 · « **Reply #6 on:** January 06, 2012, 05:07:26 PM »

ComboFix says that:

Infected with Rootkit.ZeroAccess. It has inserted itself into the tcp/ip stack.

nasroo7 · « **Reply #7 on:** January 06, 2012, 05:39:13 PM »

ComboFix 12-01-06.03 - Annette 01/06/2012 19:11:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1387 [GMT -5:00]
Running from: c:\documents and settings\Annette\Desktop\Commy.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Annette\Local Settings\Application Data\.#
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@A6C@383470.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@A6C@383480.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@A6C@383490.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@A6C@3834A0.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@EE8@383470.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@EE8@383480.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@EE8@383490.###
c:\documents and settings\Annette\Local Settings\Application Data\.#\MBX@EE8@3834A0.###
c:\windows\$NtUninstallKB34037$
c:\windows\$NtUninstallKB34037$\2551848175\@
c:\windows\$NtUninstallKB34037$\2551848175\bckfg.tmp
c:\windows\$NtUninstallKB34037$\2551848175\cfg.ini
c:\windows\$NtUninstallKB34037$\2551848175\Desktop.ini
c:\windows\$NtUninstallKB34037$\2551848175\keywords
c:\windows\$NtUninstallKB34037$\2551848175\kwrd.dll
c:\windows\$NtUninstallKB34037$\2551848175\L\gcjvwdai
c:\windows\$NtUninstallKB34037$\2551848175\lsflt7.ver
c:\windows\$NtUninstallKB34037$\2551848175\U\00000001.@
c:\windows\$NtUninstallKB34037$\2551848175\U\00000002.@
c:\windows\$NtUninstallKB34037$\2551848175\U\00000004.@
c:\windows\$NtUninstallKB34037$\2551848175\U\80000000.@
c:\windows\$NtUninstallKB34037$\2551848175\U\80000004.@
c:\windows\$NtUninstallKB34037$\2551848175\U\80000032.@
c:\windows\$NtUninstallKB34037$\3477138433
c:\windows\system32\NEW12.tmp
c:\windows\system32\NEW3B.tmp
c:\windows\system32\NEWB3.tmp
c:\windows\system32\NEWC4.tmp
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\system32\dllcache\i8042prt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))
.
.
2012-01-07 00:17 . 2008-04-13 20:18   52480   -c--a-w-   c:\windows\system32\dllcache\i8042prt.sys
2012-01-07 00:17 . 2008-04-13 20:18   52480   ----a-w-   c:\windows\system32\drivers\i8042prt.sys
2012-01-06 23:35 . 2011-11-21 10:47   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50D1D361-24E3-4FAB-A8E4-0B8665C70743}\mpengine.dll
2012-01-06 19:55 . 2004-08-04 03:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2012-01-06 19:55 . 2004-08-04 03:31   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2012-01-06 19:54 . 2012-01-06 19:54   --------   d-----w-   c:\windows\system32\wbem\Repository
2012-01-06 19:12 . 2008-04-13 19:39   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-01-06 18:55 . 2008-04-13 19:39   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-01-05 19:47 . 2012-01-05 19:47   --------   d-----w-   c:\documents and settings\Annette\Local Settings\Application Data\PCHealth
2012-01-05 18:00 . 2012-01-05 18:00   --------   d-----w-   c:\program files\Common Files\Java
2012-01-05 15:41 . 2012-01-05 16:18   --------   dc----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-05 15:41 . 2012-01-05 17:42   --------   d-----w-   c:\program files\Spybot - Search & Destroy 2
2012-01-05 01:21 . 2012-01-05 01:21   --------   dc----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-04 22:06 . 2012-01-04 22:06   --------   d-----w-   c:\documents and settings\Annette\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-03 23:40   --------   dc----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-05 18:18   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-12-23 22:36 . 2008-04-13 19:45   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2011-12-23 22:36 . 2008-04-13 19:45   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2011-12-18 22:26 . 2011-12-18 22:26   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 01:15 . 2011-05-18 00:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2006-02-28 12:00   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-10-20 13:04   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 19:29 . 2011-09-28 22:48   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-10 10:54 . 2010-06-21 13:06   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2009-09-02 23:18   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-02-28 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-11-01 16:07 . 2006-02-28 12:00   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-02-28 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-02-28 12:00   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2006-02-28 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-08-03 15:34   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-24 16859648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"BBSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1177:UDP"= 1177:UDP:Windows Media Format SDK (napster.exe)
"1176:UDP"= 1176:UDP:Windows Media Format SDK (napster.exe)
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/3/2009 10:58 AM 13696]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/12/2011 7:42 AM 2214504]
S1 MpKsl607219cb;MpKsl607219cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys [?]
S1 MpKslcf261482;MpKslcf261482;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-Spybot-S&D Cleaning - c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 19:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2012-01-06 19:26:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-07 00:26
.
Pre-Run: 126,399,516,672 bytes free
Post-Run: 127,193,780,224 bytes free
.
- - End Of File - - 56EB521DAF4C3BE450845D3D9861CC73

nasroo7 · « **Reply #8 on:** January 06, 2012, 05:52:03 PM »

I ran ComboFix a second time,
Because It suggested me the first time, that if my internet connection doesn't come back after rebooting, I should run ComboFix a second time again.

ComboFix 12-01-06.03 - Annette 01/06/2012 19:45:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1165 [GMT -5:00]
Running from: c:\documents and settings\Annette\Desktop\Commy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))
.
.
2012-01-07 00:41 . 2012-01-07 00:41   29904   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04870AE8-89D6-4D57-AB08-BBFF7794D987}\MpKslaf327d42.sys
2012-01-07 00:41 . 2012-01-07 00:41   56200   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04870AE8-89D6-4D57-AB08-BBFF7794D987}\offreg.dll
2012-01-07 00:41 . 2011-11-21 10:47   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04870AE8-89D6-4D57-AB08-BBFF7794D987}\mpengine.dll
2012-01-07 00:17 . 2008-04-13 20:18   52480   -c--a-w-   c:\windows\system32\dllcache\i8042prt.sys
2012-01-07 00:17 . 2008-04-13 20:18   52480   ----a-w-   c:\windows\system32\drivers\i8042prt.sys
2012-01-06 19:55 . 2004-08-04 03:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2012-01-06 19:55 . 2004-08-04 03:31   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2012-01-06 19:54 . 2012-01-06 19:54   --------   d-----w-   c:\windows\system32\wbem\Repository
2012-01-06 19:12 . 2008-04-13 19:39   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-01-06 18:55 . 2008-04-13 19:39   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-01-05 19:47 . 2012-01-05 19:47   --------   d-----w-   c:\documents and settings\Annette\Local Settings\Application Data\PCHealth
2012-01-05 18:00 . 2012-01-05 18:00   --------   d-----w-   c:\program files\Common Files\Java
2012-01-05 15:41 . 2012-01-05 16:18   --------   dc----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-05 15:41 . 2012-01-05 17:42   --------   d-----w-   c:\program files\Spybot - Search & Destroy 2
2012-01-05 01:21 . 2012-01-05 01:21   --------   dc----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-04 22:06 . 2012-01-04 22:06   --------   d-----w-   c:\documents and settings\Annette\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-03 23:40   --------   dc----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-05 18:18   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-12-23 22:36 . 2008-04-13 19:45   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2011-12-23 22:36 . 2008-04-13 19:45   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2011-12-18 22:26 . 2011-12-18 22:26   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 01:15 . 2011-05-18 00:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2006-02-28 12:00   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-10-20 13:04   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 19:29 . 2011-09-28 22:48   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-10 10:54 . 2010-06-21 13:06   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2009-09-02 23:18   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-02-28 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-11-01 16:07 . 2006-02-28 12:00   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-02-28 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-02-28 12:00   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2006-02-28 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-08-03 15:34   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-07_00.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-07 00:40 . 2012-01-07 00:40   16384 c:\windows\Temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-24 16859648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"BBSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1177:UDP"= 1177:UDP:Windows Media Format SDK (napster.exe)
"1176:UDP"= 1176:UDP:Windows Media Format SDK (napster.exe)
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/3/2009 10:58 AM 13696]
R1 MpKslaf327d42;MpKslaf327d42;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04870AE8-89D6-4D57-AB08-BBFF7794D987}\MpKslaf327d42.sys [1/6/2012 7:41 PM 29904]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/12/2011 7:42 AM 2214504]
S1 MpKsl607219cb;MpKsl607219cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys [?]
S1 MpKslcf261482;MpKslcf261482;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAF327D42
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 19:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1420)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-06 19:50:34
ComboFix-quarantined-files.txt 2012-01-07 00:50
ComboFix2.txt 2012-01-07 00:26
.
Pre-Run: 127,159,844,864 bytes free
Post-Run: 127,150,477,312 bytes free
.
- - End Of File - - 1CA2E61BA42B8E5C545FE63CF21C8790

SuperDave · « **Reply #9 on:** January 06, 2012, 07:36:58 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***************************************************************
Please download MiniToolBox to Desktop and run it.

Checkmark the following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
List content of Hosts
List IP Configuration
Lst Last 10 Event Viewer Errors
List Users, Partitions and Memory Size
[/b]
Click Go and copy/paste the log (Result.txt) into your next post. .

nasroo7 · « **Reply #10 on:** January 07, 2012, 12:07:56 PM »

Here is it.
I checked only the ones you told me, and left the other blank

MiniToolBox by Farbar
Ran by Annette (administrator) on 07-01-2012 at 14:04:31
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

NVIDIA nForce 10/100 Mbps Ethernet = Local Area Connection 3 (Media disconnected)
Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection 4 (Media disconnected)

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection 4"

set address name="Local Area Connection 4" source=dhcp
set dns name="Local Area Connection 4" source=dhcp register=PRIMARY
set wins name="Local Area Connection 4" source=dhcp

# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : home-d8a73cbaee

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 4:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-11-95-21-7D-32

Ethernet adapter Local Area Connection 3:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet #3

Physical Address. . . . . . . . . : 00-E0-4D-BC-AC-A6

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 95 21 7d 32 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
0x3 ...00 e0 4d bc ac a6 ...... NVIDIA nForce Networking Controller #3 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1     1
255.255.255.255 255.255.255.255 255.255.255.255 3     1
255.255.255.255 255.255.255.255 255.255.255.255 2     1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/07/2012 01:40:38 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/06/2012 07:50:18 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/06/2012 07:31:08 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/06/2012 07:10:15 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10044)

Error: (01/06/2012 05:55:02 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Windows Application, SystemIndex Catalog

Error: (01/06/2012 04:55:41 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/06/2012 04:45:42 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10044)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
   The content index metadata cannot be read. (0xc0041801)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   The content index metadata cannot be read. (0xc0041801)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   Element not found. (0x80070490)

System errors:
=============
Error: (01/04/2012 05:04:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 05:00:36 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 04:59:10 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/04/2012 11:17:01 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (01/04/2012 11:15:31 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Microsoft Office Sessions:
=========================
Error: (01/07/2012 01:40:38 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry8024402cendsearchsearch3.0.8 402.0mpsigdwn.dll3.0.8402.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

Error: (01/06/2012 07:50:18 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry8024402cendsearchsearch3.0.8 402.0mpsigdwn.dll3.0.8402.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

Error: (01/06/2012 07:31:08 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry8024402cendsearchsearch3.0.8 402.0mpsigdwn.dll3.0.8402.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

Error: (01/06/2012 07:10:15 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10044)

Error: (01/06/2012 05:55:02 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Error: (01/06/2012 04:55:41 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry80070424beginsearchsearch3.0 .8402.0mpsigdwn.dll3.0.8402.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

Error: (01/06/2012 04:45:42 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10044)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
   The content index metadata cannot be read. (0xc0041801)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   The content index metadata cannot be read. (0xc0041801)

Error: (01/06/2012 02:55:25 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   Element not found. (0x80070490)
Search.TripoliIndexer

========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 1790.48 MB
Available physical RAM: 1184.63 MB
Total Pagefile: 3685.05 MB
Available Pagefile: 3188.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.57 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:149.04 GB) (Free:118.42 GB) NTFS
3 Drive d: (Scan Tools) (CDROM) (Total:0.26 GB) (Free:0 GB) UDF

========================= Users: ========================================

User accounts for \\HOME-D8A73CBAEE

Administrator Annette ASPNET
Darren Guest HelpAssistant
SUPPORT_388945a0 UpdatusUser

**** End of log ****

SuperDave · « **Reply #11 on:** January 07, 2012, 07:10:35 PM »

Did you try resetting your modem? Disconnect the power supply for at least 30 secs.

•Please download Dial-A-Fix from one of the following mirrors:

Primary mirror
Secondary mirror

•Extract the zip file to your desktop.

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click

to continue.

•Press the green double checkmark box (Looks like this:

UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix

nasroo7 · « **Reply #12 on:** January 07, 2012, 08:35:33 PM »

I didn't reset the modem.
The reason was because I connected 3 computers on the same modem, and they were all working fine. Except for this one.

SuperDave · « **Reply #13 on:** January 08, 2012, 10:51:13 AM »

Quote

I didn't reset the modem.
The reason was because I connected 3 computers on the same modem, and they were all working fine. Except for this one.

I thought about that this morning. Sorry. Did you try Dial-A-Fix?

nasroo7 · « **Reply #14 on:** January 09, 2012, 07:47:10 AM »

Hi,

After I clicked on GO, it was doing its job, and I had error messages:

"Error 127: C:\windows\system32\iesetup.dll is not registrable or the file is corrupted. Yo version of iesetup.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Yo version of iesetup.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\imgulti.dll is not registrable or the file is corrupted. Yo version of imgulti.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\inseng.dll is not registrable or the file is corrupted. Yo version of inseng.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Yo version of inseng.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\mshtml.dll is not registrable or the file is corrupted. Yo version of mshtml.dll is: 8.00.6001.19170. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Yo version of mshtml.dll is: 8.00.6001.19170. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\msrating.dll is not registrable or the file is corrupted. Yo version of msrating.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\occache.dll is not registrable or the file is corrupted. Yo version of occache.dll is: 8.00.6001.19165. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\occache.dll is not DLLInstall-able or the file is corrupted. Yo version of ocache.dll is: 8.00.6001.19165. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\pngfilt.dll is not DLLInstall-able or the file is corrupted. Yo version of pngfilt.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\webcheck.dll is not registrable or the file is corrupted. Yo version of webcheck.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Yo version of webcheck.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

Quote

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click
to continue.

Quote

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix

I did have one error message when I executed Dial-A-Fix.exe, so I ignored and it clicked on OK, as you told me.
But when you told me about the error messages, I was kinda confused if you meant that I ignore the ones after I execute Dial-A-Fix.exe only. Or All of them (After I click on GO also)
So, here is the error messages I had after "GO"

SuperDave · « **Reply #15 on:** January 09, 2012, 01:17:56 PM »

Please download Farbar Service Scanner and run it on the computer with the issue.

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

nasroo7 · « **Reply #16 on:** January 09, 2012, 02:35:00 PM »

Here is a log, I didn't check or uncheck anything. Scanned only the Internet Services

Farbar Service Scanner
Ran by Annette (administrator) on 09-01-2012 at 16:32:52
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000 000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

nasroo7 · « **Reply #17 on:** January 09, 2012, 02:36:07 PM »

Checked all the others,
here is the log (I don't know which one you need)

Farbar Service Scanner
Ran by Annette (administrator) on 09-01-2012 at 16:33:33
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000 000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

SuperDave · « **Reply #18 on:** January 09, 2012, 04:43:16 PM »

Quote

Localhost is blocked.

Is it possible your Firewall is blocking this?

1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.

nasroo7 · « **Reply #19 on:** January 10, 2012, 07:55:03 AM »

Quote

So, I tried to reset all Iexplorer settings in "Reset Defult" it doesn't solve the problem.
There is no PROXY, and everything is on "Detect Automatically... IP, DNS..."
I tried to activate the firewall, it tells me that it cannot start "Connection Sharing ICS service"
I tried to start Automatic Updates service, but it tells me "It had to stop, because it has no action to take.

It was already on "Automatically..." But I double checked now... it's still the same

I saw another topic where a guy had kind of the same issue.
and you suggested him to use WinsockXPFix.
It didn't solve the problem for him... but maybe for me.
Because ComboFix detected a rootkit that was in my TCP/IP. So that's why I'm thinking about resetting all settings related to that.

But you're the boss, I do whatever you suggest me.

SuperDave · « **Reply #20 on:** January 10, 2012, 12:12:01 PM »

Quote

But you're the boss, I do whatever you suggest me.

I'm working my way down the checklist.

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"

Restart computer.

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.

nasroo7 · « **Reply #21 on:** January 10, 2012, 01:04:07 PM »

everything was successfully done,
but didn't solve the problem.

nasroo7 · « **Reply #22 on:** January 10, 2012, 01:06:28 PM »

at the same time, MSEssentials just blocked Win32.Sirefef

SuperDave · « **Reply #23 on:** January 10, 2012, 04:57:56 PM »

Let's try to uninstall/reinstall TCP/IP stack.

1. Download winsock.zip
Unzip it.
Right click on Winsock.reg, click "Merge".
Allow registry merge.

2. Restart computer.

3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.

On the General tab, click Install a popup window opens.
Select Protocol from the list and then click Add.
A new window opens, click Have Disk....
In the browse... box type c:\windows\inf
Click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart and check the connection.

nasroo7 · « **Reply #24 on:** January 11, 2012, 08:39:10 AM »

I did everything, and now Internet works !

is it done? or need more work on it ? :s

nasroo7 · « **Reply #25 on:** January 11, 2012, 08:44:10 AM »

Quote

at the same time, MSEssentials just blocked Win32.Sirefef

I have also a question, because it happened that MSEssentials blocked Win32.Sirefef (Before I asked your help) and tried "ESETSirefefRemover" solution by Kaspersky, but after scan, it told me that Sirefef is not on the computer.

Does it mean that MSEssentials is blocking it from infecting my computer? Or does it mean that it's infecting my computer but hidden somewhere?

And on this computer, I had MSEssentials blocked Sirefef when scanning with AVP Tool

SuperDave · « **Reply #26 on:** January 11, 2012, 12:02:13 PM »

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***************************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.

1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

nasroo7 · « **Reply #27 on:** January 11, 2012, 12:03:52 PM »

After Internet was fixed, I opened MSEssentials, and clicked on update, and then went back to my other stuff...
Came back few hours later, and found it updated successfully.

But just by curiosity I went on the history... and...
I found 15 detected items today (I didn't run any scan)
Virus:Win32/Sirefef.N Desinfected (14 times)
Exploit:Java/CVE-2011-3544.L Removed (1 time)

nasroo7 · « **Reply #28 on:** January 11, 2012, 12:06:03 PM »

ok, I do all of that

nasroo7 · « **Reply #29 on:** January 11, 2012, 03:03:31 PM »

After I finished with SuperAntiSPyware, MSEssentials blocked Sirefef again, and clicked on Desinfect, but had the error code: 0x800704ec

nasroo7 · « **Reply #30 on:** January 11, 2012, 04:14:22 PM »

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Annette :: HOME-D8A73CBAEE [administrator]

1/11/2012 5:05:23 PM
mbam-log-2012-01-11 (17-05-23).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 255656
Time elapsed: 27 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

nasroo7 · « **Reply #31 on:** January 11, 2012, 04:14:50 PM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2012 at 03:03 PM

Application Version : 4.50.1002

Core Rules Database Version : 8123
Trace Rules Database Version: 5935

Scan type : Complete Scan
Total Scan Time : 00:55:15

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 6015
Registry threats detected : 0
File items scanned : 58427
File threats detected : 10

Adware.Tracking Cookie
   C:\Documents and Settings\Annette\Cookies\HMYZLQN9.txt
   C:\Documents and Settings\Annette\Cookies\THUXZBVC.txt
   C:\Documents and Settings\Annette\Cookies\HABUK9X8.txt
   C:\Documents and Settings\Annette\Cookies\DDT2RUL2.txt
   C:\Documents and Settings\Annette\Cookies\1TU6SP7M.txt
   C:\Documents and Settings\Annette\Cookies\NQK21U12.txt
   C:\Documents and Settings\Annette\Cookies\YNQFGFY2.txt
   C:\Documents and Settings\Annette\Cookies\X67DM0OP.txt
   C:\Documents and Settings\Annette\Cookies\NWID5FDY.txt
   C:\Documents and Settings\Annette\Cookies\R3DEEDG1.txt

nasroo7 · « **Reply #32 on:** January 11, 2012, 04:16:55 PM »

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Annette at 18:15:37 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1110 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251588442812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F2FAF00E-072F-4EDD-938C-CF761E7CDF4A} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-8-3 13696]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsldab21d7e;MpKsldab21d7e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4ab00538-6f5a-4085-b170-2a97f95f30ef}\MpKsldab21d7e.sys [2012-1-11 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-12 2214504]
S1 MpKsl607219cb;MpKsl607219cb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\mpksl607219cb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{095f5527-8ed3-4bff-b87d-bffd993e4b45}\MpKsl607219cb.sys [?]
S1 MpKslcf261482;MpKslcf261482;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{81a36ea3-d5b6-4b81-9e48-f2179236a830}\mpkslcf261482.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{81a36ea3-d5b6-4b81-9e48-f2179236a830}\MpKslcf261482.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-11 21:39:09   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-11 19:05:47   --------   d-----w-   c:\documents and settings\annette\application data\SUPERAntiSpyware.com
2012-01-11 19:05:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-11 15:46:12   29904   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4ab00538-6f5a-4085-b170-2a97f95f30ef}\MpKsldab21d7e.sys
2012-01-11 15:45:56   56200   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4ab00538-6f5a-4085-b170-2a97f95f30ef}\offreg.dll
2012-01-11 15:45:51   6823496   -c--a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4ab00538-6f5a-4085-b170-2a97f95f30ef}\mpengine.dll
2012-01-09 21:19:29   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2012-01-09 21:19:29   --------   d-----w-   c:\windows\system32\wbem\Repository
2012-01-09 14:24:17   --------   d-----w-   c:\windows\system32\CatRoot2
2012-01-07 00:17:32   52480   -c--a-w-   c:\windows\system32\dllcache\i8042prt.sys
2012-01-07 00:17:32   52480   ----a-w-   c:\windows\system32\drivers\i8042prt.sys
2012-01-07 00:00:11   98816   ----a-w-   c:\windows\sed.exe
2012-01-07 00:00:11   518144   ----a-w-   c:\windows\SWREG.exe
2012-01-07 00:00:11   256000   ----a-w-   c:\windows\PEV.exe
2012-01-07 00:00:11   208896   ----a-w-   c:\windows\MBR.exe
2012-01-06 19:55:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2012-01-06 19:55:31   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2012-01-06 19:12:12   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-01-06 18:55:05   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-01-06 15:12:33   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-01-06 15:12:33   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-01-06 15:12:31   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-01-06 15:12:31   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-01-05 19:47:01   --------   d-----w-   c:\documents and settings\annette\local settings\application data\PCHealth
2012-01-05 15:41:35   --------   dc----w-   c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-05 15:41:24   --------   d-----w-   c:\program files\Spybot - Search & Destroy 2
2012-01-05 01:21:33   --------   dc----w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-04 22:06:29   --------   d-----w-   c:\documents and settings\annette\application data\Malwarebytes
2012-01-04 02:04:21   --------   d-----w-   c:\windows\pss
2012-01-03 23:40:54   --------   dc----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-01-03 23:40:50   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-12-23 22:36:21   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2011-12-23 22:36:21   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
.
==================== Find3M ====================
.
2011-12-15 01:15:15   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-15 19:29:56   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-10 10:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ----a-w-   c:\windows\system32\html.iec
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22   186880   ----a-w-   c:\windows\system32\encdec.dll
.
============= FINISH: 18:16:06.43 ===============

nasroo7 · « **Reply #33 on:** January 11, 2012, 04:17:28 PM »

ATTACH

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/3/2009 11:40:05 AM
System Uptime: 1/11/2012 10:35:03 AM (8 hours ago)
.
Motherboard: BIOSTAR Group | | N61PB-M2S
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2712/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 117.844 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 1/5/2012 2:37:43 PM - System Checkpoint
RP2: 1/6/2012 2:10:33 PM - Restore Operation
RP3: 1/6/2012 2:53:25 PM - Restore Operation
RP4: 1/7/2012 3:44:53 PM - System Checkpoint
RP5: 1/9/2012 10:43:39 AM - After WinSock edit
RP6: 1/9/2012 2:05:41 PM - after winsock edit 02
RP7: 1/9/2012 4:18:02 PM - after FSS scan (internet working)
RP8: 1/9/2012 4:18:35 PM - Restore Operation
RP9: 1/11/2012 11:02:47 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Advertising Center
Critical Update for Windows Media Player 11 (KB959772)
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImagXpress
Java Auto Updater
Java(TM) 6 Update 30
Juice 2.2
Knoll Light Factory EZ Studio
Malwarebytes Anti-Malware version 1.60.0.1800
Media Converter for Philips
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2000 Premium
Microsoft Security Client
Microsoft Security Essentials
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Napster
Napster Burn Engine
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
NVIDIA Control Panel 275.33
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
NVIDIA Update 1.3.5
NVIDIA Update Components
Pinnacle Creative Pack Volume 2
Pinnacle Studio 14
Pinnacle Studio Ultimate Plugins
Pinnacle Video Driver
Realtek High Definition Audio Driver
Red Giant ToonIt Studio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0 MUI pack
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Detect
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)
.
==== Event Viewer Messages From Past Week ========
.
1/4/2012 9:38:09 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
1/4/2012 4:16:06 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
1/11/2012 5:50:09 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 5:28:50 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000048.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 5:28:50 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 4:59:37 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: HOME-D8A73CBAEE\Annette    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 3:51:15 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 3:23:46 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8e5e0442: Automatic Updates.
1/11/2012 2:51:39 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000048.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 2:51:39 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 2:40:00 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 12:23:11 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000048.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: User    User: NT AUTHORITY\SYSTEM    Process Name: Unknown    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 12:23:11 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: User    User: NT AUTHORITY\SYSTEM    Process Name: Unknown    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 11:54:14 AM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
1/11/2012 10:46:02 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.2196.0    Update Source: Microsoft Malware Protection Center    Update Stage: Install    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.2196.0&asdelta=1.117.2196.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070652    Error description: Another installation is already in progress. Complete that installation before proceeding with this install.
1/11/2012 10:46:02 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.2196.0    Update Source: Microsoft Malware Protection Center    Update Stage: Install    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.2196.0&asdelta=1.117.2196.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070652    Error description: Another installation is already in progress. Complete that installation before proceeding with this install.
1/11/2012 10:46:02 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.2196.0    Update Source: Microsoft Malware Protection Center    Update Stage: Install    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.2196.0&asdelta=1.117.2196.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070652    Error description: Another installation is already in progress. Complete that installation before proceeding with this install.
1/11/2012 10:46:02 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.2196.0    Update Source: Microsoft Malware Protection Center    Update Stage: Install    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7903.0&avdelta=1.117.2196.0&asdelta=1.117.2196.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094    Signature Type: AntiSpyware    Update Type: Full    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x80070652    Error description: Another installation is already in progress. Complete that installation before proceeding with this install.
1/11/2012 10:45:55 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version:    Update Source: User    Update Stage: Install    Source Path:    Signature Type:    Update Type:    User: NT AUTHORITY\NETWORK SERVICE    Current Engine Version:    Previous Engine Version:    Error code: 0x80070652    Error description: Another installation is already in progress. Complete that installation before proceeding with this install.
1/11/2012 10:45:38 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.117.2196.0    Update Source: Microsoft Update Server    Update Stage: Search    Source Path: Default URL    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\SYSTEM    Current Engine Version:    Previous Engine Version: 1.1.7903.0    Error code: 0x8024400a    Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
1/11/2012 10:31:46 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: An address incompatible with the requested protocol was used.
1/11/2012 10:31:46 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The support for the specified socket type does not exist in this address family.
1/11/2012 10:22:37 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/11/2012 10:22:06 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
1/11/2012 10:22:06 AM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort0.
1/11/2012 1:34:21 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496    Name: Virus:Win32/Sirefef.N    ID: 2147652496    Severity: Severe    Category: Virus    Path: file:_C:\System Volume Information\_restore{EC171A89-4CD3-4358-AEFC-488A505E412C}\RP1\A0000022.sys    Detection Origin: Local machine    Detection Type: Concrete    Detection Source: Real-Time Protection    User: NT AUTHORITY\SYSTEM    Process Name: C:\WINDOWS\system32\svchost.exe    Action: Clean    Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.    Error Code: 0x800704ec    Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.    Signature Version: AV: 1.117.2670.0, AS: 1.117.2670.0, NIS: 0.0.0.0    Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
.
==== End Of File ===========================

nasroo7 · « **Reply #34 on:** January 11, 2012, 04:24:48 PM »

At the same time, I cannot run Microsoft Updates.
It asks me to install the ADD-on of Microsoft Updates,

then...
"Checking if your computer has the latest version of windows updating software for use with the website..."

and then...
Error: 0x8DDD0004

I try to look online what is it...

SuperDave · « **Reply #35 on:** January 11, 2012, 04:27:40 PM »

•Please download Dial-A-Fix from one of the following mirrors:

Primary mirror
Secondary mirror

•Extract the zip file to your desktop.

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click

to continue.

•Press the green double checkmark box (Looks like this:

UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix
******************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

nasroo7 · « **Reply #36 on:** January 11, 2012, 04:29:23 PM »

ok, I do it right now

nasroo7 · « **Reply #37 on:** January 11, 2012, 04:36:40 PM »

DIAL A FIX

After I clicked on GO, it was doing its job, and I had error messages:

"Error 127: C:\windows\system32\iesetup.dll is not registrable or the file is corrupted. Yo version of iesetup.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Yo version of iesetup.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\imgulti.dll is not registrable or the file is corrupted. Yo version of imgulti.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\inseng.dll is not registrable or the file is corrupted. Yo version of inseng.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Yo version of inseng.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\mshtml.dll is not registrable or the file is corrupted. Yo version of mshtml.dll is: 8.00.6001.19170. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Yo version of mshtml.dll is: 8.00.6001.19170. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\msrating.dll is not registrable or the file is corrupted. Yo version of msrating.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\occache.dll is not registrable or the file is corrupted. Yo version of occache.dll is: 8.00.6001.19165. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\occache.dll is not DLLInstall-able or the file is corrupted. Yo version of ocache.dll is: 8.00.6001.19165. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\pngfilt.dll is not DLLInstall-able or the file is corrupted. Yo version of pngfilt.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\webcheck.dll is not registrable or the file is corrupted. Yo version of webcheck.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

"Error 127: C:\windows\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Yo version of webcheck.dll is: 8.00.6001.18702. Please contact dial-a-fix... so an exception can be made for your version of this file" > Clicked on OK.

nasroo7 · « **Reply #38 on:** January 11, 2012, 04:39:45 PM »

and just had a message from MSEssentials...

MSEssentials detected items on your computer that may have not been yet classified for risks.
Sending the files listed.... etc
C:\32788RR22FWJFW\iexplore.exe

SuperDave · « **Reply #39 on:** January 11, 2012, 04:46:39 PM »

Please run ComboFix and post the log.

nasroo7 · « **Reply #40 on:** January 11, 2012, 05:09:30 PM »

Quote

Please run ComboFix and post the log.

I was running it, I just thought that I should tell you whatever happens to the computer :S

ComboFix 12-01-10.02 - Annette 01/11/2012 18:52:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1089 [GMT -5:00]
Running from: c:\documents and settings\Annette\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-11 23:58 . 2012-01-11 23:58   9310   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-01-11 23:58 . 2012-01-11 23:58   8646   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-01-11 23:58 . 2012-01-11 23:58   6429   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-01-11 23:58 . 2012-01-11 23:58   63115   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-01-11 23:58 . 2012-01-11 23:58   5927   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-01-11 23:58 . 2012-01-11 23:58   4599   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-01-11 23:58 . 2012-01-11 23:58   8613   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-01-11 23:58 . 2012-01-11 23:58   6910   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-01-11 23:58 . 2012-01-11 23:58   1651   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-01-11 23:57 . 2012-01-11 23:57   8288   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-01-11 23:57 . 2012-01-11 23:57   6208   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-01-11 23:57 . 2012-01-11 23:57   18541   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-01-11 23:57 . 2012-01-11 23:57   7271   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-01-11 23:57 . 2012-01-11 23:57   51852   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-01-11 23:57 . 2012-01-11 23:57   23327   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-01-11 23:57 . 2012-01-11 23:57   20719   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-01-11 23:57 . 2012-01-11 23:57   8782   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-01-11 23:57 . 2012-01-11 23:57   56200   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AB00538-6F5A-4085-B170-2A97F95F30EF}\offreg.dll
2012-01-11 23:34 . 2012-01-11 23:52   --------   d-----w-   c:\windows\system32\CatRoot2
2012-01-11 21:39 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-01-11 19:05 . 2012-01-11 19:05   --------   d-----w-   c:\documents and settings\Annette\Application Data\SUPERAntiSpyware.com
2012-01-11 19:05 . 2012-01-11 19:05   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-11 15:45 . 2011-11-21 10:47   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AB00538-6F5A-4085-B170-2A97F95F30EF}\mpengine.dll
2012-01-09 21:19 . 2012-01-09 21:19   --------   d-----w-   c:\windows\system32\wbem\Repository
2012-01-09 19:25 . 2012-01-09 21:18   --------   dcs---w-   c:\documents and settings\Administrator
2012-01-07 00:17 . 2008-04-13 20:18   52480   -c--a-w-   c:\windows\system32\dllcache\i8042prt.sys
2012-01-07 00:17 . 2008-04-13 20:18   52480   ----a-w-   c:\windows\system32\drivers\i8042prt.sys
2012-01-06 19:55 . 2004-08-04 03:31   20992   -c--a-w-   c:\windows\system32\dllcache\rtl8139.sys
2012-01-06 19:55 . 2004-08-04 03:31   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2012-01-06 19:12 . 2008-04-13 19:39   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-01-06 18:55 . 2008-04-13 19:39   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-01-06 15:12 . 2001-08-17 18:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-01-06 15:12 . 2008-04-13 19:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-01-05 19:47 . 2012-01-05 19:47   --------   d-----w-   c:\documents and settings\Annette\Local Settings\Application Data\PCHealth
2012-01-05 18:00 . 2012-01-05 18:00   --------   d-----w-   c:\program files\Common Files\Java
2012-01-05 15:41 . 2012-01-05 16:18   --------   dc----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-05 15:41 . 2012-01-05 17:42   --------   d-----w-   c:\program files\Spybot - Search & Destroy 2
2012-01-05 01:21 . 2012-01-05 01:21   --------   dc----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-04 22:06 . 2012-01-04 22:06   --------   d-----w-   c:\documents and settings\Annette\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-03 23:40   --------   dc----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-03 23:40 . 2012-01-11 21:58   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-12-23 22:36 . 2008-04-13 19:45   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2011-12-23 22:36 . 2008-04-13 19:45   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2011-12-18 22:26 . 2011-12-18 22:26   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 01:15 . 2011-05-18 00:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2006-02-28 12:00   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-10-20 13:04   6823496   -c--a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 19:29 . 2011-09-28 22:48   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-10 10:54 . 2010-06-21 13:06   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2009-09-02 23:18   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-02-28 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-11-01 16:07 . 2006-02-28 12:00   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-02-28 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-02-28 12:00   2148864   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59   2027008   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2006-02-28 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-07_00.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 23:55 . 2012-01-11 23:55   16384 c:\windows\Temp\Perflib_Perfdata_c48.dat
+ 2012-01-11 23:57 . 2012-01-11 23:57   16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
- 2011-12-15 00:59 . 2010-07-05 13:15   26488 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\update\spcustom.dll
- 2011-12-15 00:59 . 2010-07-05 13:15   17272 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\spmsg.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   12800 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\xpshims.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   66560 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\mshtmled.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   55296 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\msfeedsbs.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   43520 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\licmgr10.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   25600 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\jsproxy.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   12800 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\xpshims.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   66560 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\mshtmled.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   55296 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\msfeedsbs.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   43520 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\licmgr10.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   25600 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\jsproxy.dll
+ 2012-01-09 21:22 . 2012-01-11 23:33   1958 c:\windows\SoftwareDistribution\EventCache\{4B172D2F-91AA-4A15-84B6-413906BAFE6C}.bin
+ 2012-01-06 19:10 . 2012-01-09 21:19   410164 c:\windows\system32\Restore\rstrlog.dat
- 2011-12-15 00:59 . 2010-07-05 13:16   382840 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\update\updspapi.dll
- 2011-12-15 00:59 . 2010-07-05 13:15   755576 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\update\update.exe
- 2011-12-15 00:59 . 2010-07-05 13:15   231288 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\spuninst.exe
- 2011-12-15 00:59 . 2011-11-04 19:19   919552 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\wininet.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   105984 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\url.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   206848 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\occache.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   611840 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\mstime.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   602112 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\msfeeds.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   247808 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\ieproxy.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   184320 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\iepeers.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   743424 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\iedvtool.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   387584 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\iedkcs32.dll
- 2011-12-15 00:59 . 2011-10-25 12:01   174080 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\ie4uinit.exe
- 2011-12-15 00:59 . 2011-11-04 19:20   916992 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\wininet.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   105984 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\url.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   206848 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\occache.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   611840 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\mstime.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   602112 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\msfeeds.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   247808 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\ieproxy.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   184320 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\iepeers.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   743424 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\iedvtool.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   387584 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\iedkcs32.dll
- 2011-12-15 00:59 . 2011-11-04 11:24   174080 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\ie4uinit.exe
- 2011-12-15 00:59 . 2011-11-04 19:19   1214464 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\urlmon.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   5978624 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\mshtml.dll
- 2011-12-15 00:59 . 2011-11-04 19:19   2001408 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\iertutil.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   1212416 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\urlmon.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   5978112 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\mshtml.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   2000384 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\iertutil.dll
- 2011-11-05 19:19 . 2011-11-05 19:19   11083776 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3QFE\ieframe.dll
- 2011-12-15 00:59 . 2011-11-04 19:20   11081728 c:\windows\SoftwareDistribution\Download\6d96dffc598263b266d998c5ef2cef5f\SP3GDR\ieframe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-24 16859648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"BBSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1177:UDP"= 1177:UDP:Windows Media Format SDK (napster.exe)
"1176:UDP"= 1176:UDP:Windows Media Format SDK (napster.exe)
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/3/2009 10:58 AM 13696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/12/2011 7:42 AM 2214504]
S1 MpKsl607219cb;MpKsl607219cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{095F5527-8ED3-4BFF-B87D-BFFD993E4B45}\MpKsl607219cb.sys [?]
S1 MpKslcf261482;MpKslcf261482;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81A36EA3-D5B6-4B81-9E48-F2179236A830}\MpKslcf261482.sys [?]
S1 MpKsldab21d7e;MpKsldab21d7e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AB00538-6F5A-4085-B170-2A97F95F30EF}\MpKsldab21d7e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AB00538-6F5A-4085-B170-2A97F95F30EF}\MpKsldab21d7e.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ     WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-11 19:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2012-01-11 19:06:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-12 00:06
ComboFix2.txt 2012-01-07 00:50
ComboFix3.txt 2012-01-07 00:26
.
Pre-Run: 126,430,269,440 bytes free
Post-Run: 126,475,194,368 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8F02A8C1EAC2F79F6B46C57D502D2325

SuperDave · « **Reply #41 on:** January 12, 2012, 12:02:30 PM »

Quote

I was running it, I just thought that I should tell you whatever happens to the computer :S

That's cool.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

nasroo7 · « **Reply #42 on:** January 12, 2012, 01:09:53 PM »

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B2D4A000
Module End: B2D62000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B8638000
Module End: B863A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: B2E55620
Driver Base: B2E4B000
Driver End: B2E6D000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\ace95d57646196ec5306fbd2b5\de-DE\ZuneSetup.exe.mui
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\en-US\ZuneSetup.exe.mui
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\es-ES\ZuneSetup.exe.mui
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\fr-FR\ZuneSetup.exe.mui
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\it-IT\ZuneSetup.exe.mui
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\muauth.cab
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\Zune-de.msi
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\Zune-es.msi
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\Zune-fr.msi
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\Zune-it.msi
Status: Access denied

Object: C:\ace95d57646196ec5306fbd2b5\packages\Zune-x86.msi
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #43 on:** January 12, 2012, 04:32:02 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

nasroo7 · « **Reply #44 on:** January 13, 2012, 07:24:38 AM »

Ok, So I ran Eset online scanner....
After 45min it was at 98%... with 0 threads...
The computer is set so the HDD doesn't turn off (In power management)

I came back an hour later, and I discovered that windows restarted itself...
I log on with the windows account password... and in the right bottom a little window told me "Windows was recently updated"
So important updates were installed, and the computer restarted by itself (I installed all the updates before the infection)

So there is no ESET scanner anymore of course...

Is there any log saved somewhere?
Or do I have to start over?

nasroo7 · « **Reply #45 on:** January 13, 2012, 12:02:22 PM »

I just checked the computer....
Internet is not working anymore...

I tried what you told me to do earlier:

Quote

ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client" .... etc

and

Quote

Let's try to uninstall/reinstall TCP/IP stack.

1. Download winsock.zip
Unzip it.
Right click on Winsock.reg, click "Merge".
Allow registry merge.

2. Restart computer.

3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.

* On the General tab, click Install a popup window opens.
* Select Protocol from the list and then click Add.
* A new window opens, click Have Disk....
* In the browse... box type c:\windows\inf
* Click OK.
* Select Internet Protocol (TCP/IP), and then click OK.
* Restart and check the connection.

But.. in Network Connections.... There is NOTHING !

nasroo7 · « **Reply #46 on:** January 13, 2012, 12:11:23 PM »

I created a restore point after the Winsock, TCP IP reset, and DDS logs....

And there is also many restore points since that day, that Windows saved automatically.

Should I just go back to yesterday when Internet was working?

SuperDave · « **Reply #47 on:** January 13, 2012, 01:05:11 PM »

Quote

Should I just go back to yesterday when Internet was working?

Please try that. If it still doesn't work please run this:

Please download MiniToolBox to Desktop and run it.

Checkmark the following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
List content of Hosts
List IP Configuration
Lst Last 10 Event Viewer Errors
List Users, Partitions and Memory Size
[/b]
Click Go and copy/paste the log (Result.txt) into your next post. .

nasroo7 · « **Reply #48 on:** January 13, 2012, 02:19:57 PM »

Ok, I try that...

What's happening to this computer ??

nasroo7 · « **Reply #49 on:** January 13, 2012, 02:45:43 PM »

MiniToolBox by Farbar
Ran by Annette (administrator) on 13-01-2012 at 16:44:54
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

popd
# End of interface IP configuration

Windows IP Configuration

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1     1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:37:42 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.

Context: Windows Application, SystemIndex Catalog

Details:
    0xc0041801 (0xc0041801)

Error: (01/13/2012 04:31:08 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Application, SystemIndex Catalog

Error: (01/13/2012 04:25:31 PM) (Source: Windows Search Service) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Application, SystemIndex Catalog

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:21:09 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.

Context: Windows Application, SystemIndex Catalog

Details:
    0xc0041801 (0xc0041801)

System errors:
=============
Error: (01/13/2012 04:37:47 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

Error: (01/13/2012 04:37:39 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/13/2012 04:33:12 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/13/2012 04:24:21 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/13/2012 04:21:11 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

Error: (01/13/2012 04:21:06 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/13/2012 04:15:16 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (01/13/2012 02:16:23 PM) (Source: 0) (User: )
Description: \Device\Harddisk0\D

Error: (01/13/2012 02:08:56 PM) (Source: 0) (User: )
Description: \Device\Harddisk0\D

Error: (01/13/2012 02:08:48 PM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Microsoft Office Sessions:
=========================
Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:37:44 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)
Search.TripoliIndexer

Error: (01/13/2012 04:37:42 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
    0xc0041801 (0xc0041801)

Error: (01/13/2012 04:31:08 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Error: (01/13/2012 04:25:31 PM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)

Error: (01/13/2012 04:21:10 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
   The content index cannot be read. (0xc0041800)
Search.TripoliIndexer

Error: (01/13/2012 04:21:09 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
    0xc0041801 (0xc0041801)

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 1790.48 MB
Available physical RAM: 1178.39 MB
Total Pagefile: 3685.05 MB
Available Pagefile: 3120.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.02 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:149.04 GB) (Free:116.99 GB) NTFS

========================= Users: ========================================

User accounts for \\HOME-D8A73CBAEE

Administrator Annette ASPNET
Darren Guest HelpAssistant
SUPPORT_388945a0 UpdatusUser

**** End of log ****

SuperDave · « **Reply #50 on:** January 13, 2012, 04:57:00 PM »

Let's try another scan.

Please download Farbar Service Scanner and run it on the computer with the issue.

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

nasroo7 · « **Reply #51 on:** January 13, 2012, 05:07:35 PM »

We already tried that before...
I'm running it right now
I post the log when it's done

nasroo7 · « **Reply #52 on:** January 13, 2012, 05:10:25 PM »

FSS with only the first checkmark checked

Farbar Service Scanner
Ran by Annette (administrator) on 13-01-2012 at 19:09:16
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000 000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

nasroo7 · « **Reply #53 on:** January 13, 2012, 05:11:10 PM »

FSS with all checkmarks checked (I don't know which one you need ?)

Farbar Service Scanner
Ran by Annette (administrator) on 13-01-2012 at 19:09:38
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000 000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

SuperDave · « **Reply #54 on:** January 14, 2012, 06:47:05 PM »

You should call your ISP(Internet Service Provider) to create a new network.

nasroo7 · « **Reply #55 on:** January 15, 2012, 10:15:04 PM »

But I plugged another computer to the same Ethernet cable, and internet is working fine...

nasroo7 · « **Reply #56 on:** January 15, 2012, 10:48:50 PM »

Quote

Turn off the computer.
Insert your Windows CD in the CD-ROM drive or the DVD-ROM drive, and start the computer from the CD.

When you are prompted To set up Windows now, press ENTER, press ENTER.

Setup looks for any previous installations of Windows XP on the hard disk and then displays a list of any previous installations that it finds.
Use the arrow keys to select the installation that you want to repair, and then press R to select the To repair the selected Windows installation, press R option.

This will start the repair of your previous Windows XP installation.

Would that work? or fix my connection problem?

nasroo7 · « **Reply #57 on:** January 16, 2012, 11:04:05 AM »

I just added an internal Ethernet LAN card.
And now internet works fine

But, the network of the MotherBoard (The ethernet plug located on the motherboard) is still NOT here, there is only the one of the new card. :s

What's going on with that computer???
Is it going to do the same thing ?

nasroo7 · « **Reply #58 on:** January 18, 2012, 05:44:47 PM »

Where are you SuperDave !???

SuperDave · « **Reply #59 on:** January 18, 2012, 06:39:34 PM »

I don't feel that this is a malware problem. We should do some cleanup and perhaps you should start a new thread in the hardware forum.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
***************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

nasroo7 · « **Reply #60 on:** January 20, 2012, 02:24:29 PM »

But do you remember when ComboFix told me he has discovered ZeroAcceess Trojan hidden in my TCP/IP protocol ?

And then after we fixed internet... three days later, internet disappeared...
I checked the device manager, and the Network Ethernet drivers were missing

I reinstalled them, but the computer won't reboot anymore. Even reboot it with "Last Known good configuration won't solve the problem"

I think my only choice is to reinstall windows all over...

nasroo7 · « **Reply #61 on:** January 20, 2012, 02:25:34 PM »

And, also, before internet disapeared, the ethernet drivers were good and installed. And I never touched them (Before they disappeared)

SuperDave · « **Reply #62 on:** January 21, 2012, 11:32:49 AM »

Quote

But do you remember when ComboFix told me he has discovered ZeroAcceess Trojan hidden in my TCP/IP protocol ?

I never saw that in any of the scans that we ran. At this point the best thing you should do is to boot your computer with this rescue disk below, safe your important data and re-format. You could try posting the log but most important is to save your data.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

Place a blank CD-R disc in to your CD burning drive.
Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settings
Change Drivers to Non-Microsoft
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\_OTL\MovedFiles
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

nasroo7 · « **Reply #63 on:** January 21, 2012, 03:13:17 PM »

How about if I just format it, and reinstall windows?

But save only "My documents" folder, which contains all documents, and pictures....

SuperDave · « **Reply #64 on:** January 21, 2012, 04:13:24 PM »

That should work. Good luck.

nasroo7 · « **Reply #65 on:** January 21, 2012, 08:02:15 PM »

and If I transfer "My Documents" files into an external HDD... will I have clean files? or infected files?

SuperDave · « **Reply #66 on:** January 22, 2012, 03:27:31 PM »

Quote from: nasroo7 on January 21, 2012, 08:02:15 PM

and If I transfer "My Documents" files into an external HDD... will I have clean files? or infected files?

You should scan your files with at least two good AV scanners before putting them back on your computer.

nasroo7 · « **Reply #67 on:** January 22, 2012, 04:43:14 PM »

If I scan them with Microsoft Security Essentials, Malwarebytes, and SuperAntiSpyware.
is it enough?

SuperDave · « **Reply #68 on:** January 22, 2012, 07:00:14 PM »

Quote from: nasroo7 on January 22, 2012, 04:43:14 PM

If I scan them with Microsoft Security Essentials, Malwarebytes, and SuperAntiSpyware.
is it enough?

You also should include a scan with Avast AV.

nasroo7 · « **Reply #69 on:** January 22, 2012, 10:26:03 PM »

ok. I'll do it
thank you

nasroo7 · « **Reply #70 on:** January 24, 2012, 07:41:11 AM »

By the way, I have another last question:
I was going to format the HDD, but just ran ComboFix (I know that if something happens, I don't care, since I'm going to reinstall Windows anyway =P )
and at the same time Microsoft Security Essentials told me that he detected items that have not been yet classified for risks, and will send them: "C:\32788R22FWJFW/iexplore.exe"

Do you have any idea or opinion about it ?

By the way, if people have the same problem.

When your Network connection disappear... check your device manager, and chances are that you're going to see missing drivers for the network adapter... even if it was installed and working fine a couple of hours before!

SuperDave · « **Reply #71 on:** January 24, 2012, 04:20:08 PM »

Quote

Do you have any idea or opinion about it ?

That's part of ComboFix.

nasroo7 · « **Reply #72 on:** January 25, 2012, 12:13:46 PM »

Quote

Quote
Quote

Do you have any idea or opinion about it ?

That's part of ComboFix.

Thank's

Thank you for all your help superdave!

SuperDave · « **Reply #73 on:** January 25, 2012, 12:18:25 PM »

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: No Internet Access after virus removal :( (Read 36350 times)

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

nasroo7

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

SuperDave

nasroo7

nasroo7

SuperDave

nasroo7

SuperDave