[Resolved K] Infected by win32/sirefef virus

[Majorstar]

Yesterday, my PC was infected by the trojan win32/sirefef array of viruses while on the internet.  It disabled my AV software and began interfering with my browser and was (and still is) utilizing my my internet connection.  I had to reinstall my AV software whereupon it identified the virus files: win32/sirefef, win32/sirefef.AG, win32/sirefef.AN and win32/sirefef.AO.  It has quarantined them, but whatever the virus did to my system is now in place and accessing my internet connection (it is always in use even when I'm not using the internet).  The AV software is regularly "disabling threats" from this virus because it is apparently still active on my PC.  I need to get this virus out of my system and am hoping this can be done without reinstalling windows.

The apparent location (according to AV software) of the virus is: c:\Documents and Settings\Mark Sterner\Local Settings\Application Data\{99bd2805...

Here are my DDS logs, as requested:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mark Sterner at 22:12:54 on 2012-07-04
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2814.2105 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\mark sterner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306083087234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1308577527437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.180.83.133 208.180.42.68
TCP: Interfaces\{CE81AD80-A8F1-49DC-B93B-87CE34E2CB71} : DhcpNameServer = 208.180.83.133 208.180.42.68
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl03ad82f1;MpKsl03ad82f1;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10d2e78d-704d-49c4-b199-2ceb2a213394}\MpKsl03ad82f1.sys [2012-7-4 29904]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-13 2348352]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2011-5-22 22784]
R3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
.
=============== Created Last 30 ================
.
2012-07-05 03:02:14   29904   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10d2e78d-704d-49c4-b199-2ceb2a213394}\MpKsl03ad82f1.sys
2012-07-05 02:43:31   --------   d-----w-   C:\sh4ldr
2012-07-05 02:43:31   --------   d-----w-   c:\program files\Enigma Software Group
2012-07-05 02:43:04   --------   d-----w-   c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-07-05 02:43:02   --------   d-----w-   c:\program files\common files\Wise Installation Wizard
2012-07-05 02:36:17   --------   d-----w-   c:\documents and settings\mark sterner\application data\SpeedyPC Software
2012-07-05 02:36:17   --------   d-----w-   c:\documents and settings\mark sterner\application data\DriverCure
2012-07-05 02:36:06   --------   d-----w-   c:\documents and settings\all users\application data\SpeedyPC Software
2012-07-05 02:28:48   56200   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10d2e78d-704d-49c4-b199-2ceb2a213394}\offreg.dll
2012-07-04 21:28:39   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
2012-07-04 21:09:43   6762896   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10d2e78d-704d-49c4-b199-2ceb2a213394}\mpengine.dll
2012-07-04 21:07:06   --------   d-----w-   c:\program files\Microsoft Security Client
2012-06-13 18:14:39   --------   d-----w-   c:\documents and settings\all users\application data\EA Core
2012-06-13 18:14:38   --------   d-----w-   c:\documents and settings\all users\application data\Electronic Arts
2012-06-13 17:50:58   --------   d-----w-   c:\program files\Dragon Age 2
2012-06-13 13:29:13   521728   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2012-06-08 19:25:46   237072   ------w-   c:\windows\system32\MpSigStub.exe
.
==================== Find3M  ====================
.
2012-07-02 13:05:42   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-02 13:05:41   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 20:19:44   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19:38   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19:38   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19:34   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19:30   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:18:58   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-06-02 20:18:58   214256   ----a-w-   c:\windows\system32\muweb.dll
2012-06-02 20:18:58   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-16 15:08:26   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 13:20:33   1863168   ----a-w-   c:\windows\system32\win32k.sys
2012-05-13 21:09:09   293992   ----a-w-   c:\windows\system32\nvdrsdb0.bin
2012-05-13 21:09:09   1   ----a-w-   c:\windows\system32\nvdrssel.bin
2012-05-13 21:09:07   293992   ----a-w-   c:\windows\system32\nvdrsdb1.bin
2012-05-11 14:42:33   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02   385024   ------w-   c:\windows\system32\html.iec
2012-05-04 13:16:13   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-19 01:56:30   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2012-04-19 01:56:30   69632   ----a-w-   c:\windows\system32\QuickTime.qts
.
============= FINISH: 22:13:18.06 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/22/2011 11:00:35 AM
System Uptime: 7/4/2012 9:26:50 PM (1 hours ago)
.
Motherboard:  EVGA  |  | 132-CK-NF78
Processor: Intel Pentium III processor | Socket 775 | 3166/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 596 GiB total, 499.158 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP272: 4/6/2012 12:45:21 PM - System Checkpoint
RP273: 4/7/2012 1:01:16 PM - System Checkpoint
RP274: 4/7/2012 2:44:50 PM - Installed Campaign Antietam
RP275: 4/9/2012 9:20:24 AM - System Checkpoint
RP276: 4/11/2012 9:47:27 AM - Software Distribution Service 3.0
RP277: 4/12/2012 11:45:12 AM - System Checkpoint
RP278: 4/13/2012 1:18:42 PM - System Checkpoint
RP279: 4/14/2012 1:51:44 PM - System Checkpoint
RP280: 4/15/2012 6:00:37 PM - System Checkpoint
RP281: 4/16/2012 6:01:04 PM - System Checkpoint
RP282: 4/17/2012 9:06:25 PM - System Checkpoint
RP283: 4/19/2012 12:18:20 PM - System Checkpoint
RP284: 4/20/2012 12:24:31 PM - System Checkpoint
RP285: 4/21/2012 1:22:22 PM - System Checkpoint
RP286: 4/22/2012 6:21:11 PM - System Checkpoint
RP287: 4/24/2012 5:48:30 PM - System Checkpoint
RP288: 4/25/2012 9:44:41 PM - System Checkpoint
RP289: 4/27/2012 12:01:56 PM - System Checkpoint
RP290: 4/29/2012 12:33:49 PM - System Checkpoint
RP291: 4/30/2012 3:50:07 PM - System Checkpoint
RP292: 5/1/2012 4:34:22 PM - System Checkpoint
RP293: 5/2/2012 5:08:48 PM - System Checkpoint
RP294: 5/3/2012 7:16:58 PM - System Checkpoint
RP295: 5/5/2012 12:35:51 PM - System Checkpoint
RP296: 5/6/2012 12:52:46 PM - System Checkpoint
RP297: 5/7/2012 5:15:40 PM - System Checkpoint
RP298: 5/8/2012 9:35:31 PM - System Checkpoint
RP299: 5/10/2012 10:58:20 AM - System Checkpoint
RP300: 5/11/2012 4:32:16 PM - System Checkpoint
RP301: 5/12/2012 9:35:01 AM - Software Distribution Service 3.0
RP302: 5/13/2012 5:07:24 PM - System Checkpoint
RP303: 5/15/2012 9:41:47 AM - System Checkpoint
RP304: 5/16/2012 10:38:21 AM - System Checkpoint
RP305: 5/17/2012 10:40:25 AM - System Checkpoint
RP306: 5/18/2012 10:58:06 AM - System Checkpoint
RP307: 5/19/2012 12:15:47 PM - System Checkpoint
RP308: 5/20/2012 6:06:50 PM - System Checkpoint
RP309: 5/22/2012 8:56:31 AM - System Checkpoint
RP310: 5/23/2012 10:53:25 AM - System Checkpoint
RP311: 5/24/2012 10:59:18 AM - System Checkpoint
RP312: 5/25/2012 11:09:41 AM - System Checkpoint
RP313: 5/26/2012 12:04:48 PM - System Checkpoint
RP314: 5/28/2012 10:49:25 AM - System Checkpoint
RP315: 5/29/2012 5:08:30 PM - System Checkpoint
RP316: 5/31/2012 4:48:45 PM - System Checkpoint
RP317: 6/1/2012 5:17:48 PM - System Checkpoint
RP318: 6/3/2012 10:25:31 AM - System Checkpoint
RP319: 6/4/2012 9:09:26 AM - Software Distribution Service 3.0
RP320: 6/5/2012 11:45:58 AM - System Checkpoint
RP321: 6/7/2012 4:21:32 PM - System Checkpoint
RP322: 6/8/2012 2:25:46 PM - Software Distribution Service 3.0
RP323: 6/9/2012 2:47:47 PM - System Checkpoint
RP324: 6/10/2012 8:21:48 AM - Software Distribution Service 3.0
RP325: 6/11/2012 10:51:07 AM - System Checkpoint
RP326: 6/12/2012 8:38:00 AM - Software Distribution Service 3.0
RP327: 6/13/2012 8:29:42 AM - Software Distribution Service 3.0
RP328: 6/13/2012 11:57:13 AM - Software Distribution Service 3.0
RP329: 6/13/2012 12:58:04 PM - Installed DirectX
RP330: 6/14/2012 5:48:44 PM - System Checkpoint
RP331: 6/15/2012 8:52:03 AM - Software Distribution Service 3.0
RP332: 6/16/2012 9:52:22 AM - Software Distribution Service 3.0
RP333: 6/17/2012 12:55:05 PM - Software Distribution Service 3.0
RP334: 6/18/2012 1:38:24 PM - Software Distribution Service 3.0
RP335: 6/19/2012 2:46:16 PM - System Checkpoint
RP336: 6/19/2012 6:08:57 PM - Software Distribution Service 3.0
RP337: 6/21/2012 9:01:53 AM - Software Distribution Service 3.0
RP338: 6/22/2012 10:20:06 AM - System Checkpoint
RP339: 6/22/2012 3:50:22 PM - Software Distribution Service 3.0
RP340: 6/23/2012 5:06:27 PM - System Checkpoint
RP341: 6/24/2012 9:17:28 AM - Software Distribution Service 3.0
RP342: 6/25/2012 11:57:14 AM - Software Distribution Service 3.0
RP343: 6/26/2012 1:22:58 PM - Software Distribution Service 3.0
RP344: 6/27/2012 1:30:09 PM - Software Distribution Service 3.0
RP345: 6/28/2012 4:48:46 PM - System Checkpoint
RP346: 6/29/2012 8:17:00 AM - Software Distribution Service 3.0
RP347: 6/30/2012 8:41:03 AM - Software Distribution Service 3.0
RP348: 7/1/2012 8:45:26 AM - Software Distribution Service 3.0
RP349: 7/2/2012 10:09:16 AM - System Checkpoint
RP350: 7/3/2012 7:32:49 AM - Software Distribution Service 3.0
RP351: 7/4/2012 7:47:12 AM - Software Distribution Service 3.0
RP352: 7/4/2012 4:09:39 PM - Software Distribution Service 3.0
RP353: 7/4/2012 9:43:30 PM - Installed SpyHunter
RP354: 7/4/2012 10:06:05 PM - Removed SpyHunter
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.0)
Apple Application Support
Apple Software Update
Combat Mission Battle for Normandy DEMO
Diablo II
Dragon Age II
Dragon Age: Origins
Eusing Free Registry Cleaner
Google Chrome
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HPS Campaign Antietam
Java Auto Updater
Java(TM) 6 Update 31
King's Bounty. The Legend (Remove Only)
King’s Bounty Crossworlds (Remove Only)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliType Pro 6.2
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders  (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
MSXML 6 Service Pack 2 (KB973686)
Neverwinter Nights 2
NVIDIA Control Panel 296.10
NVIDIA Drivers
NVIDIA Graphics Driver 296.10
NVIDIA Install Application
NVIDIA nView 136.18
NVIDIA nView Desktop Manager
NVIDIA Performance
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.0213
NVIDIA Update 1.7.11
NVIDIA Update Components
QuickTime
Razer DeathAdder(TM) Mouse
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Star Wars: The Old Republic
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VASSAL (3.1.18)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
7/4/2012 4:02:04 PM, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
.
==== End Of File ===========================

[kevinf80]

Hello Majorstar and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

• Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
• Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
• Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
• Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.
  
• If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
• If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
• If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
  
• Close any open browsers and any other programs you might have running
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
  
• Instructions for running Combofix available Here if required.
  
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

[Majorstar]

Hi Kevin, thanks so much for your help.  I ran the ComboFix program and below I've posted the log file as you requested.

ComboFix 12-06-28.03 - Mark Sterner 07/05/2012  10:44:21.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2814.2355 [GMT -5:00]
Running from: c:\documents and settings\Mark Sterner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mark Sterner\Local Settings\Application Data\{99bd2805-218d-be59-9aa5-dca0a70c4022}
c:\documents and settings\Mark Sterner\Local Settings\Application Data\{99bd2805-218d-be59-9aa5-dca0a70c4022}\@
c:\documents and settings\Mark Sterner\Local Settings\Application Data\{99bd2805-218d-be59-9aa5-dca0a70c4022}\n
c:\documents and settings\Mark Sterner\WINDOWS
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\@
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\L\00000004.@
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\L\1afb2d56
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\L\201d3dde
c:\windows\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\n
c:\windows\system32\dllcache\dlimport.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-05 to 2012-07-05  )))))))))))))))))))))))))))))))
.
.
2012-07-05 15:14 . 2012-07-05 15:14   56200   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10D2E78D-704D-49C4-B199-2CEB2A213394}\offreg.dll
2012-07-05 02:43 . 2012-07-05 03:06   --------   d-----w-   C:\sh4ldr
2012-07-05 02:43 . 2012-07-05 02:43   --------   d-----w-   c:\program files\Enigma Software Group
2012-07-05 02:43 . 2012-07-05 03:06   --------   d-----w-   c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-07-05 02:43 . 2012-07-05 02:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2012-07-05 02:36 . 2012-07-05 02:36   --------   d-----w-   c:\documents and settings\Mark Sterner\Application Data\SpeedyPC Software
2012-07-05 02:36 . 2012-07-05 02:36   --------   d-----w-   c:\documents and settings\Mark Sterner\Application Data\DriverCure
2012-07-05 02:36 . 2012-07-05 03:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-07-04 21:28 . 2012-07-04 21:34   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
2012-07-04 21:09 . 2012-05-31 01:41   6762896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10D2E78D-704D-49C4-B199-2CEB2A213394}\mpengine.dll
2012-07-04 21:07 . 2012-07-04 21:07   --------   d-----w-   c:\program files\Microsoft Security Client
2012-07-04 20:32 . 2012-07-04 20:32   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-06-13 18:14 . 2012-06-13 18:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\EA Core
2012-06-13 18:14 . 2012-06-13 18:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2012-06-13 17:50 . 2012-06-13 18:07   --------   d-----w-   c:\program files\Dragon Age 2
2012-06-13 13:29 . 2012-05-11 14:42   521728   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2012-06-08 19:25 . 2012-01-31 12:44   237072   ------w-   c:\windows\system32\MpSigStub.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-02 13:05 . 2012-03-29 13:22   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-02 13:05 . 2011-05-23 13:08   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 20:19 . 2011-05-22 16:52   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2011-05-22 16:52   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2011-05-22 15:58   329240   ----a-w-   c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2011-05-22 15:58   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2011-05-22 15:58   210968   ----a-w-   c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2011-05-22 16:52   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2011-05-22 16:52   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2011-05-22 15:58   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 20:19 . 2011-05-22 15:58   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2006-02-28 12:00   97304   ----a-w-   c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2011-05-22 16:52   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2011-05-22 15:58   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2011-05-22 15:58   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2011-06-21 12:53   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2011-06-21 12:53   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2009-08-07 00:23   214256   ----a-w-   c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2006-02-28 12:00   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-02-28 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00   1863168   ----a-w-   c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-02-28 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-02-28 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-02-28 12:00   385024   ------w-   c:\windows\system32\html.iec
2012-05-04 13:16 . 2006-02-28 12:00   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-05-22 15:56   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-04-19 01:56 . 2012-04-19 01:56   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2012-04-19 01:56 . 2012-04-19 01:56   69632   ----a-w-   c:\windows\system32\QuickTime.qts
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464]
"NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/13/2012 4:10 PM 2348352]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [5/22/2011 11:37 AM 22784]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [9/15/2009 2:59 PM 38248]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [12/15/2009 3:07 PM 25832]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1715567821-839522115-1004Core.job
- c:\documents and settings\Mark Sterner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-12 15:34]
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1715567821-839522115-1004UA.job
- c:\documents and settings\Mark Sterner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-12 15:34]
.
2012-07-05 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.180.83.133 208.180.42.68
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-05 10:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-07-05  10:52:51
ComboFix-quarantined-files.txt  2012-07-05 15:52
.
Pre-Run: 535,883,329,536 bytes free
Post-Run: 543,340,081,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AD673380227DE996A7F05D03F773E7EA

[kevinf80]

Thanks for the log, Combofix appears to have worked its magic. Ok I like to run an online AV scan to make sure there are no remnants lurking.

Run ESET Online Scan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
• Check
  
• Leave the tick out of remove found threats
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push
  

You can refer to this animation by neomage if needed.
Frequently asked questions available Here  Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Kevin..

[Majorstar]

Okay, I ran the scan and this is the text file of listed threats:

C:\Qoobox\Quarantine\C\Documents and Settings\Mark Sterner\Local Settings\Application Data\{99bd2805-218d-be59-9aa5-dca0a70c4022}\n.vir   Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC\Desktop.ini.vir   Win32/Sirefef.EZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{99bd2805-218d-be59-9aa5-dca0a70c4022}\n.vir   Win32/Sirefef.EV trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP351\A0090728.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP352\A0090781.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP352\A0090791.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP352\A0090857.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP352\A0090865.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP354\A0090983.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP354\A0090995.ini   Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{EA487966-C170-4A00-AB73-0F9908F3B1E9}\RP354\A0091005.ini   Win32/Sirefef.EZ trojan

[kevinf80]

The files contained in Qoobox will be dealt with when we clean up later, fo now do the following:

Step 1

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2 
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

Code: [Select]

:Files
ipconfig /flushdns /c
:Commands
[ClearAllRestorePoints]
[ResetHosts]
[EmptyTemp]


• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 2

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
If Java or Adobe as updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed.

Let me see the log from OTM, also give an update on any remaining issues or concerns..

Thanks,

Kevin... 

[Majorstar]

Okay, below is the log from OTM.  I don't have any other issues or concerns that I've noticed, as long as these darned sirefef trojans are gone.

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Mark Sterner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Mark Sterner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
Restore point Set: OTM Restore Point
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8421443 bytes
->Flash cache emptied: 19992 bytes
 
User: Mark Sterner
->Temp folder emptied: 122605 bytes
->Temporary Internet Files folder emptied: 40623671 bytes
->Java cache emptied: 996702 bytes
->Google Chrome cache emptied: 348974727 bytes
->Flash cache emptied: 3201783 bytes
 
User: NetworkService
->Temp folder emptied: 1128 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 921 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3636844 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1344 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 387.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 07052012_142704

Files moved on Reboot...

Registry entries deleted on Reboot...

[kevinf80]

Make sure your security is updated and turned on, use your system freely. When you`re happy all is ok post back and we`ll clean up etc. If you any issues at all, let me know...

[Majorstar]

Everything seems to be working properly now, thanks to you. 

I'm ready to clean up whenever you can get to it.

[Majorstar]

Oh, I do notice that since running all these programs today, I notice that during startup/reboot I'm getting an alternate system boot screen appearing briefly that was never there before.  Is that something we can make go away?

[kevinf80]

Okey Dokey, do the following please :-

Step 1

Remove Combofix now that we're done with it

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

• ComboFix and its associated files and folders.
• VundoFix backups, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2

We need to remove ESET Online Scanner.

• Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
  
• Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted
  

Step 3

• Download OTC by OldTimer and save it to your desktop. Alternative mirror
  
• Double click icon to start the program.
  If you are using Vista or Windows 7, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.
• This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Step 4

Download TFC  to your desktop, from either of the following links
Link 1
Link 2

• Save any open work. TFC will close all open application windows.
• Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
• If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete OK, also if any issues or concerns....

When we ran Combofix it installed the recovery console, that is what you see at boot. At boot you have the option to arrow down and select the RC, it is well worth keeping for future reference. The default time out is 2 seconds, then your OS boots.

Have a read here http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/recovery_console_overview.mspx?mfr=true

Kevin.. 

[Majorstar]

Okay!  Clean up process completed.  Thank you, Kevin, for your wonderful help today.  I'm very grateful that I could have someone with your command of these issues to guide me through this virus removal process.  I was so worried about this, and you got to the root of the problem immediately.  You are the man.

[kevinf80]

Good to hear everything went OK for you, here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol  This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
If Java or Adobe as updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed.


Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
 
Firefox,

Opera, and

Chrome.
 
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Let me know when its OK to close out your thread...

Take care,

Kevin

[Majorstar]

I suppose it's okay now to close out my thread.  Thanks again!   

[kevinf80]

Since this issue appears to be resolved the topic has been closed. Glad we could help. 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.