[A] Sirefef.ah Virus

Inactive
By Dexter Curry
Aug 10, 2012
Topic Status:
Not open for further replies.
  1. I have the Sirefef.ah vires and need to get rid of it. I can not do much because it I get message that it will shutdown in 1 Min. Please help
  2. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================

    What Windows version is it?
  3. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    Vista Ultimate
  4. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  5. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    do you want the files or the output?
  6. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    I don't understand...
  7. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    do you want me to post the text files or do you want me to just post it in the message?
  8. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    All logs have to be pasted.
  9. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    Her are the output.

    FRST.TXT
    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 08-08-2012
    Ran by SYSTEM at 10-08-2012 14:16:24
    Running from F:\
    Windows Vista (TM) Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet002
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot [384232 2012-07-12] (BillP Studios)
    HKLM\...\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe" [17408 2010-07-04] ()
    HKLM\...\Run: [TrueImageMonitor.exe] "D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [5551288 2011-09-22] (Acronis)
    HKLM\...\Run: [TkBellExe] "D:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [296056 2011-12-05] (RealNetworks, Inc.)
    HKLM\...\Run: [SwitchBoard] D:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM\...\Run: [Standby] "D:\Program Files\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-01-07] (Corel)
    HKLM\...\Run: [SAOB Monitor] D:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe [2537096 2011-09-22] (Acronis)
    HKLM\...\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE [180224 2010-04-12] (PowerISO Computing, Inc.)
    HKLM\...\Run: [Persistence] D:\Windows\system32\igfxpers.exe [81920 2006-12-12] (Intel Corporation)
    HKLM\...\Run: [Norton Ghost 14.0] "D:\Program Files\Norton Ghost\Agent\VProTray.exe" [2250088 2009-08-03] (Symantec Corporation)
    HKLM\...\Run: [NBAgent] "D:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2012-01-13] (Nero AG)
    HKLM\...\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM\...\Run: [IgfxTray] D:\Windows\system32\igfxtray.exe [98304 2006-12-12] (Intel Corporation)
    HKLM\...\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
    HKLM\...\Run: [HotKeysCmds] D:\Windows\system32\hkcmd.exe [106496 2006-12-12] (Intel Corporation)
    HKLM\...\Run: [Corel File Shell Monitor] D:\Program Files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe [x]
    HKLM\...\Run: [BCSSync] "D:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [APSDaemon] "D:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM\...\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
    HKLM\...\Run: [ApnUpdater] "D:\Program Files\Ask.com\Updater\Updater.exe" [1398440 2011-12-14] (Ask)
    HKLM\...\Run: [AdobeCS5.5ServiceManager] "D:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "D:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [Adobe Acrobat Speed Launcher] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2012-04-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [Acronis Scheduler2 Service] "D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [394832 2011-09-22] (Acronis)
    HKLM\...\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [815512 2012-04-03] (Adobe Systems Inc.)
    HKLM\...\Run: [MSC] "d:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKLM\...\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKLM\...\Run: [Anti-phishing Domain Advisor] "D:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [217256 2011-07-29] (Visicom Media Inc. (Powered by Panda Security))
    HKU\Administrator.Dexter-PC\...\Run: [LightScribe Control Panel] D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)
    HKU\Dexter\...\Run: [HP Photosmart 7510 series (NET)] "D:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN19Q2409W05PX:NW" -scfn "HP Photosmart 7510 series (NET)" -AutoStart 1 [1804648 2011-08-31] (Hewlett-Packard Co.)
    HKU\Dexter\...\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-19] (BitTorrent, Inc.)
    HKU\Dexter\...\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\Dexter\...\Run: [ehTray.exe] D:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    ================================ Services (Whitelisted) ==================
    2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [804544 2011-09-22] (Acronis)
    2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2012-05-09] (Acronis)
    2 Akamai; C:\program files\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-11] (Akamai Technologies, Inc)
    2 BBSvc; C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [193816 2012-02-10] (Microsoft Corporation.)
    3 BBUpdate; C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [240408 2012-02-10] (Microsoft Corporation.)
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    2 Freemake Improver; "C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe" [96768 2012-05-31] (Freemake)
    2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2008-01-18] (Microsoft Corporation)
    3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-12] (Symantec Corporation)
    2 LPDSVC; C:\Windows\System32\lpdsvc.dll [35328 2008-01-18] (Microsoft Corporation)
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    3 MSFTPSVC; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2008-01-18] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    2 NAUpdate; "C:\Program Files\Nero\Update\NASvc.exe" [687400 2011-11-25] (Nero AG)
    4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator [129880 2009-02-18] (Microsoft Corporation)
    2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [129880 2009-02-18] (Microsoft Corporation)
    2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [129880 2009-02-18] (Microsoft Corporation)
    2 NfsClnt; C:\Windows\System32\nfsclnt.exe [50688 2009-04-10] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [4322656 2009-08-03] (Symantec Corporation)
    2 OrbisClient.Services; "C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe" [17408 2011-01-25] ()
    3 PLAVService; "C:\Program Files\Common Files\PLAV\PLAVservice.exe" [601008 2012-02-07] (ParetoLogic Inc.)
    2 PSI_SVC_2; "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [185632 2007-07-24] (Protexis Inc.)
    2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    2 simptcp; C:\Windows\System32\tcpsvcs.exe [9728 2010-12-19] (Microsoft Corporation)
    2 SNMP; C:\Windows\System32\snmp.exe [47616 2009-04-10] (Microsoft Corporation)
    2 Symantec SymSnap VSS Provider; C:\Windows\system32\dllhost.exe /Processid:{FAAA9DEA-9D18-4E80-9DBB-942E523429C0} [7168 2006-11-02] (Microsoft Corporation)
    3 SymSnapService; "C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe" [1562096 2009-07-01] (Symantec)
    3 WMSvc; C:\Windows\system32\inetsrv\wmsvc.exe [11264 2008-01-18] (Microsoft Corporation)
    2 Apache2.2; "C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice [x]
    ========================== Drivers (Whitelisted) =============
    3 afcdp; C:\Windows\System32\DRIVERS\afcdp.sys [167968 2012-05-09] (Acronis)
    0 fltsrv; C:\Windows\System32\DRIVERS\fltsrv.sys [77696 2012-05-08] (Acronis)
    1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [312336 2010-05-28] (Kaspersky Lab)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    0 NBVol; C:\Windows\System32\DRIVERS\NBVol.sys [56496 2011-12-01] (Nero AG)
    0 NBVolUp; C:\Windows\System32\DRIVERS\NBVolUp.sys [12464 2011-12-01] (Nero AG)
    3 NfsRdr; C:\Windows\System32\drivers\nfsrdr.sys [195584 2009-04-10] (Microsoft Corporation)
    3 PsxDrv; C:\Windows\System32\drivers\psxdrv.sys [9216 2008-01-18] (Microsoft Corporation)
    3 RpcXdr; C:\Windows\System32\drivers\rpcxdr.sys [76800 2009-04-10] (Microsoft Corporation)
    3 SMSCIRDA; C:\Windows\System32\DRIVERS\SMSCirda.sys [30720 2006-11-01] (SMSC)
    0 symsnap; C:\Windows\System32\DRIVERS\symsnap.sys [138464 2009-07-01] (StorageCraft)
    0 tdrpman273; C:\Windows\System32\DRIVERS\tdrpm273.sys [752128 2012-05-09] (Acronis)
    0 timounter; C:\Windows\System32\DRIVERS\timntr.sys [600928 2012-05-09] (Acronis)
    3 USBCCID; C:\Windows\System32\DRIVERS\usbccid.sys [30208 2009-04-10] (Microsoft Corporation)
    2 v2imount; C:\Windows\System32\DRIVERS\v2imount.sys [38112 2008-08-13] (Symantec Corporation)
    1 VBoxDrv; C:\Windows\System32\DRIVERS\VBoxDrv.sys [158552 2012-05-22] (Oracle Corporation)
    3 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp.sys [104792 2012-05-22] (Oracle Corporation)
    3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [116056 2012-05-22] (Oracle Corporation)
    3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [82776 2012-05-22] (Oracle Corporation)
    1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [91992 2012-05-22] (Oracle Corporation)
    0 vidsflt61; C:\Windows\System32\DRIVERS\vsflt61.sys [84544 2012-05-08] (Acronis)
    3 VProEventMonitor; C:\Windows\System32\DRIVERS\vproeventmonitor.sys [15088 2008-01-19] (Symantec Corporation)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 hitmanpro36; \??\D:\Windows\system32\drivers\hitmanpro36.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 MBAMProtector; \??\D:\Windows\system32\drivers\mbam.sys [x]
    3 MFE_RR; \??\D:\Users\Dexter\AppData\Local\Temp\mfe_rr.sys [x]
    3 NPF; C:\Windows\System32\drivers\npf.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 PROCEXP152; \??\D:\Windows\system32\Drivers\PROCEXP152.SYS [x]
    3 PROCMON23; \??\D:\Windows\system32\Drivers\PROCMON23.SYS [x]
    3 pwdrvio; \??\D:\Windows\system32\pwdrvio.sys [x]
    3 pwdspio; \??\D:\Windows\system32\pwdspio.sys [x]
    3 SliceDisk5; \??\D:\Users\Dexter\AppData\Local\Temp\HBCD\FindAndMount\slicedisk.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-10 08:07 - 2012-08-10 08:08 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-09 13:16 - 2012-08-09 13:16 - 00000000 ____D C:\FRST
    2012-08-09 06:09 - 2012-08-09 07:55 - 00000398 ____A C:\Windows\Tasks\ErrorEND.job
    2012-08-08 21:22 - 2012-08-08 21:22 - 00028040 ____A (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCEXP152.SYS
    2012-08-08 19:39 - 2012-08-08 19:39 - 00064392 ___AH (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCMON23.SYS
    2012-08-08 16:19 - 2012-08-08 16:19 - 268435456 __ASH C:\WinPEpge.sys
    2012-08-08 16:19 - 2012-08-08 16:19 - 00000000 ____D C:\$WINDOWS.~BT
    2012-08-08 14:08 - 2012-08-07 11:32 - 00169984 ____A (Microsoft Corporation) C:\Users\Administrator.Dexter-PC\Desktop\msconfig.exe
    2012-08-08 06:54 - 2012-08-08 06:54 - 00000000 ____D C:\Program Files\ParetoLogic
    2012-08-08 06:54 - 2012-08-08 06:54 - 00000000 ____D C:\Program Files\Common Files\PLAV
    2012-08-08 06:53 - 2012-08-08 06:53 - 00000000 ____D C:\Program Files\Common Files\ParetoLogic
    2012-08-07 20:34 - 2012-08-08 07:03 - 172705751 ____A C:\Windows\MEMORY.DMP
    2012-08-07 20:34 - 2012-08-07 20:35 - 00136024 ____A C:\Windows\Minidump\Mini080812-01.dmp
    2012-08-07 20:34 - 2012-08-07 20:34 - 00000000 ____D C:\Windows\Minidump
    2012-08-07 16:05 - 2012-08-07 16:05 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Roaming\HP
    2012-08-07 13:54 - 2012-08-07 13:56 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Local\Adobe
    2012-08-07 13:54 - 2012-08-07 13:54 - 00128120 ____A C:\Users\Administrator.Dexter-PC\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-07 13:54 - 2012-08-07 13:54 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Roaming\Apple Computer
    2012-08-07 13:54 - 2012-08-07 13:54 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Local\Apple Computer
    2012-08-07 13:54 - 2012-08-07 13:54 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Local\antiphishing-vmninternethelper1_1dn
    2012-08-07 13:53 - 2012-08-07 16:06 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Roaming\Adobe
    2012-08-07 13:53 - 2012-08-07 13:53 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Roaming\Real
    2012-08-07 13:43 - 2012-08-07 13:47 - 00000000 ____D C:\users\Administrator.Dexter-PC
    2012-08-07 13:43 - 2012-08-07 13:43 - 00000020 ___SH C:\Users\Administrator.Dexter-PC\ntuser.ini
    2012-08-07 13:43 - 2011-09-17 09:54 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Local\Microsoft Help
    2012-08-07 13:43 - 2011-05-23 14:35 - 00000000 ____D C:\Users\Administrator.Dexter-PC\AppData\Roaming\Macromedia
    2012-08-07 11:52 - 2012-08-07 11:52 - 00000827 ____A C:\Users\Dexter\Desktop\MSConfigCleanUp.lnk
    2012-08-07 11:52 - 2012-08-07 11:52 - 00000000 ____D C:\Program Files\MSConfig CleanUp
    2012-08-06 09:57 - 2012-08-06 09:57 - 00000000 ___SD C:\ComboFix
    2012-08-06 09:57 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-06 09:57 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-06 09:57 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-06 09:57 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-06 09:57 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-06 09:57 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-06 09:57 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-06 09:57 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-06 09:51 - 2012-08-06 09:51 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
    2012-08-06 09:51 - 2012-08-06 09:51 - 00000000 ____D C:\Qoobox
    2012-08-06 09:41 - 2012-08-06 09:41 - 00000000 ____D C:\Windows\erdnt
    2012-08-06 09:40 - 2012-08-06 10:05 - 00000000 ___SD C:\32788R22FWJFW
    2012-08-06 08:27 - 2012-08-06 08:27 - 00000000 ____D C:\Users\Public\Desktop\CC Support
    2012-08-06 05:25 - 2012-08-09 13:16 - 00000000 ____D C:\users\Administrator
    2012-08-06 05:25 - 2012-08-06 05:25 - 00000672 ____A C:\Users\Administrator\Desktop\Windows Media Player.lnk
    2012-08-06 05:25 - 2012-08-06 05:25 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
    2012-08-05 21:34 - 2012-08-05 21:34 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tximswgi.sys
    2012-08-05 19:03 - 2012-08-05 19:04 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-05 16:58 - 2012-08-05 16:58 - 09231560 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-08-05 16:05 - 2012-08-08 19:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-05 16:05 - 2012-08-05 16:58 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-05 16:05 - 2012-08-05 16:58 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-05 16:04 - 2012-08-05 16:04 - 00001055 ____A C:\Users\Dexter\Desktop\Spybot - Search & Destroy.lnk
    2012-08-05 15:27 - 2012-08-05 15:27 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-05 12:10 - 2012-08-05 17:02 - 00000000 ____D C:\Users\Dexter\AppData\Local\{323DB715-0885-16AE-F0CC-0ADFD06699A9}
    2012-08-05 09:33 - 2012-08-05 10:35 - 00001000 ____A C:\Users\Dexter\Desktop\SpeedyPC Pro.lnk
    2012-08-05 09:33 - 2012-08-05 09:33 - 00000000 ____D C:\Users\Dexter\AppData\Roaming\SpeedyPC Software
    2012-08-05 09:33 - 2012-08-05 09:33 - 00000000 ____D C:\Users\Dexter\AppData\Roaming\DriverCure
    2012-08-05 08:03 - 2012-08-05 08:25 - 00000401 ____A C:\Windows\wininit.ini
    2012-08-05 07:52 - 2012-08-05 16:45 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
    2012-08-05 07:29 - 2012-08-05 10:13 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-08-05 07:29 - 2012-08-05 10:10 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-05 07:29 - 2012-07-03 09:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-05 05:08 - 2012-08-10 08:08 - 00001064 ____A C:\Windows\System32\spsys.log
    2012-08-05 03:41 - 2012-08-05 03:41 - 00000000 ____D C:\Users\Dexter\AppData\Roaming\WinPatrol
    2012-08-05 03:41 - 2012-08-05 03:41 - 00000000 ____D C:\Program Files\BillP Studios
    2012-08-04 18:56 - 2012-08-04 18:56 - 00000000 ____D C:\Users\Dexter\AppData\Roaming\Malwarebytes
    2012-08-04 18:51 - 2012-08-04 19:08 - 00000680 ____A C:\Users\Dexter\AppData\Local\d3d9caps.dat
    2012-07-27 04:26 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-27 04:19 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-27 04:19 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-27 04:19 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-27 04:19 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-27 04:19 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-27 04:19 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-27 04:19 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-27 04:19 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-27 04:19 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-27 04:19 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-27 04:19 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-27 04:19 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-27 04:19 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-27 04:19 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-27 04:09 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-27 04:09 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-27 04:09 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-27 04:08 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-27 04:08 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-27 04:08 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-15 03:08 - 2012-07-15 03:08 - 00000994 ____A C:\Users\Dexter\Desktop\hosts2.txt
    2012-07-15 02:57 - 2012-07-15 03:38 - 00000000 ____D C:\Users\Dexter\AppData\Local\Plex Media Server
    2012-07-13 06:21 - 2012-07-13 06:21 - 00465188 ____A C:\Users\Dexter\Documents\UX496 405 N Wakefield St.mdi
    2012-07-12 10:34 - 2012-07-12 10:34 - 00001292 ____A C:\Users\Dexter\SDM-2.5-1841-c1841-adventerprisek9-mz.123-14.yt1.bin

    ============ 3 Months Modified Files ========================
    2012-08-10 08:08 - 2012-08-10 08:07 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-10 08:08 - 2012-08-10 08:07 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-10 08:08 - 2012-08-05 05:08 - 00001064 ____A C:\Windows\System32\spsys.log
    2012-08-10 08:08 - 2011-05-23 14:35 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-10 08:07 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-09 12:24 - 2011-02-15 16:25 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-09 12:06 - 2011-05-23 14:35 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-09 12:01 - 2012-07-08 11:19 - 00000258 ____A C:\Windows\Tasks\HP Photo Creations Messager.job
    2012-08-09 07:57 - 2006-11-02 05:00 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-09 07:55 - 2012-08-09 06:09 - 00000398 ____A C:\Windows\Tasks\ErrorEND.job
    2012-08-08 21:22 - 2012-08-08 21:22 - 00028040 ____A (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCEXP152.SYS
    2012-08-08 19:59 - 2012-08-05 16:05 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-08 19:39 - 2012-08-08 19:39 - 00064392 ___AH (Sysinternals - www.sysinternals.com) C:\Windows\System32\Drivers\PROCMON23.SYS
    2012-08-08 16:19 - 2012-08-08 16:19 - 268435456 __ASH C:\WinPEpge.sys
    2012-08-08 14:30 - 2006-11-02 02:23 - 00000275 ____A C:\Windows\win.ini
    2012-08-08 14:30 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
    2012-08-08 13:28 - 2011-03-28 11:28 - 00002243 ____A C:\Windows\epplauncher.mif
    2012-08-08 07:03 - 2012-08-07 20:34 - 172705751 ____A C:\Windows\MEMORY.DMP
    2012-08-07 20:35 - 2012-08-07 20:34 - 00136024 ____A C:\Windows\Minidump\Mini080812-01.dmp
    2012-08-07 13:54 - 2012-08-07 13:54 - 00128120 ____A C:\Users\Administrator.Dexter-PC\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-07 13:43 - 2012-08-07 13:43 - 00000020 ___SH C:\Users\Administrator.Dexter-PC\ntuser.ini
    2012-08-07 11:52 - 2012-08-07 11:52 - 00000827 ____A C:\Users\Dexter\Desktop\MSConfigCleanUp.lnk
    2012-08-07 11:52 - 2011-05-22 16:18 - 00001189 ____A C:\Users\Dexter\AppData\Roaming\vso_ts_preview.xml
    2012-08-07 11:32 - 2012-08-08 14:08 - 00169984 ____A (Microsoft Corporation) C:\Users\Administrator.Dexter-PC\Desktop\msconfig.exe
    2012-08-06 18:40 - 2011-09-23 05:14 - 00440252 ____A C:\Windows\PFRO.log
    2012-08-06 09:51 - 2012-08-06 09:51 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
    2012-08-06 08:43 - 2006-11-02 02:33 - 00810302 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-06 08:24 - 2006-11-02 04:46 - 03781784 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-06 05:25 - 2012-08-06 05:25 - 00000672 ____A C:\Users\Administrator\Desktop\Windows Media Player.lnk
    2012-08-06 05:25 - 2012-08-06 05:25 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
    2012-08-05 21:34 - 2012-08-05 21:34 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tximswgi.sys
    2012-08-05 19:18 - 2012-04-22 16:39 - 00001735 ____A C:\Windows\wmsetup.log
    2012-08-05 19:05 - 2007-04-02 15:01 - 01348573 ____A C:\Windows\WindowsUpdate.log
    2012-08-05 16:58 - 2012-08-05 16:58 - 09231560 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
    2012-08-05 16:58 - 2012-08-05 16:05 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-05 16:58 - 2012-08-05 16:05 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-05 16:04 - 2012-08-05 16:04 - 00001055 ____A C:\Users\Dexter\Desktop\Spybot - Search & Destroy.lnk
    2012-08-05 10:35 - 2012-08-05 09:33 - 00001000 ____A C:\Users\Dexter\Desktop\SpeedyPC Pro.lnk
    2012-08-05 10:10 - 2012-08-05 07:29 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-05 08:25 - 2012-08-05 08:03 - 00000401 ____A C:\Windows\wininit.ini
    2012-08-05 05:10 - 2011-09-14 14:14 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
    2012-08-04 19:08 - 2012-08-04 18:51 - 00000680 ____A C:\Users\Dexter\AppData\Local\d3d9caps.dat
    2012-07-31 04:31 - 2007-04-02 13:17 - 00238592 ____A C:\Users\Dexter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-27 04:21 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-15 03:08 - 2012-07-15 03:08 - 00000994 ____A C:\Users\Dexter\Desktop\hosts2.txt
    2012-07-13 06:21 - 2012-07-13 06:21 - 00465188 ____A C:\Users\Dexter\Documents\UX496 405 N Wakefield St.mdi
    2012-07-12 10:34 - 2012-07-12 10:34 - 00001292 ____A C:\Users\Dexter\SDM-2.5-1841-c1841-adventerprisek9-mz.123-14.yt1.bin
    2012-07-12 07:59 - 2012-07-08 09:31 - 00000848 ____A C:\Users\Dexter\SDM-2.5-1841-c1841-ipbase-mz.123-8.T8.bin
    2012-07-11 10:43 - 2007-04-02 12:10 - 00128120 ____A C:\Users\Dexter\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-09 07:18 - 2012-07-09 07:18 - 00001110 ____A C:\Users\Dexter\AppData\Roaming\ConvAPIPlugin.log
    2012-07-09 07:18 - 2012-07-09 06:42 - 00232895 ____A C:\Windows\hpwins22.dat
    2012-07-09 07:01 - 2012-07-09 07:01 - 00001176 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
    2012-07-08 17:48 - 2012-07-08 17:48 - 00000778 ____A C:\Users\Dexter\Desktop\PuTTY.lnk
    2012-07-08 11:19 - 2012-07-08 11:19 - 00001788 ____A C:\Users\Public\Desktop\HP Photo Creations.lnk
    2012-07-08 11:15 - 2012-07-08 11:15 - 00002115 ____A C:\Users\Public\Desktop\HP Photosmart 7510 series.lnk
    2012-07-08 11:15 - 2012-07-08 11:15 - 00001795 ____A C:\Users\Public\Desktop\HP ePrintCenter - HP Photosmart 7510 series.lnk
    2012-07-08 11:15 - 2012-07-08 11:15 - 00001083 ____A C:\Users\Public\Desktop\Shop for Supplies - HP Photosmart 7510 series.lnk
    2012-07-08 09:13 - 2012-07-08 09:05 - 00000875 ____A C:\Users\Public\Desktop\Cisco SDM.lnk
    2012-07-08 05:07 - 2012-07-08 05:07 - 00000057 ____A C:\Users\Dexter\Desktop\mowerparts.txt
    2012-07-03 09:46 - 2012-08-05 07:29 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-02 10:26 - 2012-05-15 05:02 - 00148447 ____A C:\Windows\hpoins19.dat
    2012-06-26 03:25 - 2012-06-26 03:24 - 00000051 ____A C:\Users\Dexter\Desktop\Demonoid account.txt
    2012-06-13 17:40 - 2012-06-13 17:40 - 00001664 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-13 17:13 - 2012-06-13 17:11 - 77251480 ____A (Apple Inc.) C:\Users\Dexter\Desktop\iTunesSetup.exe
    2012-06-13 05:40 - 2012-07-27 04:26 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 07:11 - 2012-06-12 07:11 - 00000093 ____A C:\Users\Dexter\Desktop\LabSim Acount.txt
    2012-06-12 05:52 - 2012-06-12 05:52 - 00001886 ____A C:\Users\Public\Desktop\LabSim.lnk
    2012-06-11 17:40 - 2012-06-11 17:40 - 00001113 ____A C:\Users\Public\Desktop\Freemake Video Converter.lnk
    2012-06-11 10:37 - 2012-06-11 10:37 - 00000994 ____A C:\Users\Mcx1\Desktop\WinAVI All In One Converter.lnk
    2012-06-11 10:37 - 2012-06-05 06:30 - 00000994 ____A C:\Users\Dexter\Desktop\WinAVI All in One Converter.lnk
    2012-06-08 09:47 - 2012-07-27 04:09 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-27 04:09 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-27 04:09 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 06:49 - 2012-06-05 06:49 - 00000298 ____A C:\Users\Dexter\Desktop\document
    2012-06-04 07:26 - 2012-07-27 04:08 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-04 02:43 - 2012-06-04 02:43 - 00000875 ____A C:\Users\Mcx1\Desktop\Network Stumbler.lnk
    2012-06-04 02:43 - 2012-06-04 02:43 - 00000875 ____A C:\Users\Dexter\Desktop\Network Stumbler.lnk
    2012-06-03 19:24 - 2011-10-10 17:44 - 00002690 ____A C:\Windows\setupact.log
    2012-06-02 14:19 - 2012-06-21 05:06 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 05:06 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 05:06 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 05:05 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 05:05 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 05:06 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 05:05 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-21 05:05 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-21 05:05 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-27 04:19 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-27 04:19 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-27 04:19 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-27 04:19 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-27 04:19 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-27 04:19 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-27 04:19 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-27 04:19 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-27 04:19 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-27 04:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-27 04:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-27 04:19 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-27 04:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-27 04:19 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-27 04:08 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-27 04:08 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 09:53 - 2012-06-01 09:53 - 00000175 ____A C:\Users\Dexter\Desktop\go.bat
    2012-05-31 12:06 - 2011-05-22 16:16 - 00001017 ____A C:\Users\Dexter\Desktop\ConvertXtoDVD 4.lnk
    2012-05-31 08:25 - 2010-12-19 20:22 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-28 10:00 - 2012-05-28 09:50 - 00000842 ____A C:\Users\Public\Desktop\Microsoft Fix it Center.lnk
    2012-05-25 07:52 - 2012-05-25 07:52 - 00000983 ____A C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
    2012-05-22 11:08 - 2012-05-25 07:52 - 00158552 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxDrv.sys
    2012-05-22 11:08 - 2012-05-25 07:51 - 00091992 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSBMon.sys
    2012-05-22 11:08 - 2012-05-22 11:08 - 00135512 ____A (Oracle Corporation) C:\Windows\System32\VBoxNetFltNobj.dll
    2012-05-22 11:08 - 2012-05-22 11:08 - 00116056 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetFlt.sys
    2012-05-22 11:08 - 2012-05-22 11:08 - 00104792 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetAdp.sys
    2012-05-22 11:08 - 2012-05-22 11:08 - 00082776 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSB.sys
    2012-05-22 04:51 - 2006-11-02 02:23 - 00000973 ____A C:\Windows\System32\Drivers\etc\hosts.old
    2012-05-19 09:05 - 2010-11-01 13:33 - 00000752 ____A C:\Users\Public\Desktop\ĀµTorrent.lnk
    2012-05-15 10:00 - 2012-06-01 03:15 - 00079872 ____A C:\Windows\System32\ff_vfw.dll
    2012-05-15 05:05 - 2012-03-21 04:53 - 00036802 ____A C:\Windows\DPINST.LOG
    2012-05-14 03:24 - 2012-05-14 03:24 - 00002036 ____A C:\Users\Public\Desktop\Web Studio 5.0.lnk
    2012-05-13 18:38 - 2012-05-13 18:30 - 00001899 ____A C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
    2012-05-13 16:40 - 2012-05-13 16:40 - 00000962 ____A C:\Users\Public\Desktop\Adobe Content Viewer.lnk
    2012-05-13 16:01 - 2012-05-03 18:43 - 00001908 ____A C:\Windows\diagwrn.xml
    2012-05-13 16:01 - 2012-05-03 18:43 - 00001908 ____A C:\Windows\diagerr.xml
    2012-05-13 16:00 - 2011-10-10 17:44 - 00000000 ____A C:\Windows\setuperr.log

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe C5488EA6408AD0C3CC3E3CB876CBBED4 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 13%
    Total physical RAM: 3317.5 MB
    Available physical RAM: 2856.11 MB
    Total Pagefile: 3092.48 MB
    Available Pagefile: 2940.99 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.33 MB
    ======================= Partitions =========================
    1 Drive c: () (Fixed) (Total:259 GB) (Free:78.45 GB) NTFS
    2 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
    3 Drive f: () (Removable) (Total:7.45 GB) (Free:6.44 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: () (Fixed) (Total:39.09 GB) (Free:30.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 2361 KB
    Disk 1 Online 7634 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 39 GB 1024 KB
    Partition 0 Extended 259 GB 39 GB
    Partition 2 Logical 259 GB 39 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 Y NTFS Partition 39 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 259 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 F FAT32 Removable 7633 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-08-09 12:07
    ======================= End Of Log =========================
  10. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    Search.txt
    Farbar Recovery Scan Tool Version: 08-08-2012
    Ran by SYSTEM at 2012-08-10 14:17:47
    Running from F:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2011-02-15 16:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2011-02-10 18:50] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
    C:\Windows\System32\services.exe
    [2011-02-15 16:25] - [2012-08-09 12:24] - 0279552 ____A (Microsoft Corporation) C5488EA6408AD0C3CC3E3CB876CBBED4
    === End Of Search ===
  11. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Attached Files:

     
  12. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    ran combofix for 30 min and it still just sits there with blue box open. What should I do?
  13. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    I still need Fixlog.txt log.
  14. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 08-08-2012
    Ran by SYSTEM at 2012-08-10 15:10:39 Run:2
    Running from F:\
    ==============================================
    HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe
    ==== End of Fixlog ====
  15. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    OK.

    Re-run Combofix from safe mode.
  16. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

  17. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    Ok had to go but I let combofix run while I was gone and is still running after about 4hrs. I am in safe mode also. What next?
  18. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    Is computer clock still running?
    If so let it be.
     
  19. Dexter Curry

    Dexter Curry Newcomer, in training Topic Starter

    let it rub for 24HRS and nothing. What should I Do?
  20. Broni

    Broni Malware Annihilator Posts: 46,143   +251

  21. Broni

    Broni Malware Annihilator Posts: 46,143   +251

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.