[A] Sirefef possibly, and critical error 1 min restarts

Inactive
By Tim T
Aug 9, 2012
Topic Status:
Not open for further replies.
  1. Running, Windows 7 Home Premium 32bit.

    Coming here because it looks like someone is actually able to help! I've followed a few threads and I've tried to do the first step that has been going around. Here are the FRST.txt log and the Search.txt log:

    FRST:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 09-08-2012
    Ran by SYSTEM at 09-08-2012 15:15:37
    Running from J:\AV
    Windows 7 Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor)
    HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
    HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
    HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
    ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\RealTime Communications.lnk
    ShortcutTarget: RealTime Communications.lnk -> C:\RT3\RTComm.exe (Sundial Time Systems, Inc.)

    ================================ Services (Whitelisted) ==================

    2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [81920 2009-03-31] (Andrea Electronics Corporation)
    2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
    3 dkab_device; C:\Windows\system32\DKabcoms.exe -service [508824 2006-10-21] ( )
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [165376 2009-09-22] (Microsoft Corporation)
    1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [55040 2009-09-22] (Microsoft Corporation)
    3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2009-09-22] (Microsoft Corporation)
    3 vpcuxd; C:\Windows\System32\DRIVERS\vpcuxd.sys [12800 2009-09-22] (Microsoft Corporation)
    1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [294912 2009-09-22] (Microsoft Corporation)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-09 16:35 - 2012-08-09 16:35 - 00302592 ____A C:\Users\Thomas\Downloads\mgy59hk3.exe
    2012-08-09 15:15 - 2012-08-09 15:15 - 00000000 ____D C:\FRST
    2012-08-09 14:40 - 2012-08-09 14:43 - 07750160 ____A (SurfRight B.V.) C:\Users\Thomas\Downloads\HitmanPro36.exe
    2012-08-09 14:40 - 2012-08-09 14:41 - 04727110 ____A (Swearware) C:\Users\Thomas\Downloads\ComboFix (1).exe
    2012-08-09 14:37 - 2012-08-09 14:38 - 04727110 ____A (Swearware) C:\Users\Thomas\Downloads\ComboFix.exe
    2012-08-09 14:37 - 2012-08-09 14:38 - 00001606 ____A C:\Users\Thomas\Desktop\Rkill.txt
    2012-08-09 14:35 - 2012-08-09 14:35 - 04981254 ____A C:\Users\Thomas\Downloads\unconfirmed 57173.download
    2012-08-09 14:34 - 2012-08-09 14:35 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Thomas\Downloads\iExplore.exe
    2012-08-09 14:34 - 2012-08-09 14:34 - 00001205 ____A C:\Users\Thomas\Downloads\registryfix.reg
    2012-08-09 14:26 - 2012-08-09 14:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-09 14:23 - 2012-08-09 14:23 - 00407872 ____A C:\Users\Thomas\Downloads\pkiller.exe
    2012-08-09 14:21 - 2012-08-09 14:23 - 10288512 ____A (Microsoft Corporation) C:\Users\Thomas\Downloads\mseinstall.exe
    2012-08-09 14:17 - 2012-08-09 14:17 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Thomas\Downloads\SpyHunter-Installer.exe
    2012-08-09 14:00 - 2012-08-09 14:00 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Malwarebytes
    2012-08-09 14:00 - 2012-08-09 14:00 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-09 14:00 - 2012-08-09 14:00 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-08-09 14:00 - 2010-12-20 20:09 - 00038224 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-09 14:00 - 2010-12-20 20:08 - 00020952 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-09 13:55 - 2012-08-09 13:55 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Thomas\Downloads\rkill.exe
    2012-08-09 12:43 - 2012-08-09 12:43 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-09 12:41 - 2012-08-09 12:43 - 00000000 ____D C:\Users\All Users\036DFF85031355ACEEDADB1C4F147CE7
    2012-08-09 12:40 - 2012-08-09 12:40 - 00057344 ___AH (AhnLab, Inc.) C:\Windows\System32\exe2host.dll
    2012-08-07 16:20 - 2012-08-07 16:20 - 00012657 ____A C:\Users\Thomas\Documents\Ba-Le UH Order.xlsx
    2012-08-07 12:34 - 2012-08-07 12:34 - 00013650 ____A C:\Users\Thomas\Documents\Baker Hours.xlsx
    2012-08-06 08:42 - 2012-08-07 10:37 - 00062464 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 08-10-12 PAYROLL.xls
    2012-08-03 17:23 - 2012-08-04 17:01 - 00275526 ____A C:\Users\Thomas\Documents\Tri1.xlsx
    2012-07-29 10:38 - 2012-07-29 10:38 - 00000000 ____D C:\Users\Thomas\AppData\Local\Macromedia
    2012-07-29 09:52 - 2012-08-09 16:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-29 09:52 - 2012-08-02 14:06 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-27 10:49 - 2012-07-27 11:57 - 00013225 ____A C:\Users\Thomas\Documents\Form for Rodney.xlsx
    2012-07-23 11:10 - 2012-07-23 11:15 - 00060928 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 07-13-2012 PAYROLL.xls
    2012-07-22 12:27 - 2012-07-29 13:22 - 00061440 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 07-27-2012 PAYROLL.xls
    2012-07-22 11:19 - 2012-07-23 10:37 - 00000568 ____A C:\Windows\System32\LexFiles.usr
    2012-07-19 13:58 - 2012-07-19 13:58 - 00012588 ____A C:\Users\Thomas\Documents\Puff On sales 6-12.xlsx
    2012-07-15 15:05 - 2012-07-15 15:05 - 00012731 ____A C:\Users\Thomas\Documents\Rush Order Form.xlsx
    2012-07-15 13:21 - 2012-07-15 13:21 - 00013003 ____A C:\Users\Thomas\Documents\production Form for Baker.xlsx
    2012-07-10 15:40 - 2012-07-10 15:40 - 00013682 ____A C:\Users\Thomas\Windows Xp Mode.vmc.vpcbackup
    2012-07-10 13:53 - 2012-07-10 16:52 - 00014801 ____A C:\Users\Thomas\Documents\Food Cost for Puff.xlsx

    ============ 3 Months Modified Files ========================

    2012-08-09 17:11 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-09 17:11 - 2009-07-13 20:39 - 00032591 ____A C:\Windows\setupact.log
    2012-08-09 17:08 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-09 16:35 - 2012-08-09 16:35 - 00302592 ____A C:\Users\Thomas\Downloads\mgy59hk3.exe
    2012-08-09 16:04 - 2012-07-29 09:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-09 15:04 - 2009-07-13 20:55 - 01663835 ____A C:\Windows\WindowsUpdate.log
    2012-08-09 14:57 - 2010-08-10 10:30 - 00733518 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-09 14:57 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-09 14:57 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-09 14:43 - 2012-08-09 14:40 - 07750160 ____A (SurfRight B.V.) C:\Users\Thomas\Downloads\HitmanPro36.exe
    2012-08-09 14:41 - 2012-08-09 14:40 - 04727110 ____A (Swearware) C:\Users\Thomas\Downloads\ComboFix (1).exe
    2012-08-09 14:38 - 2012-08-09 14:37 - 04727110 ____A (Swearware) C:\Users\Thomas\Downloads\ComboFix.exe
    2012-08-09 14:38 - 2012-08-09 14:37 - 00001606 ____A C:\Users\Thomas\Desktop\Rkill.txt
    2012-08-09 14:35 - 2012-08-09 14:35 - 04981254 ____A C:\Users\Thomas\Downloads\unconfirmed 57173.download
    2012-08-09 14:35 - 2012-08-09 14:34 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Thomas\Downloads\iExplore.exe
    2012-08-09 14:34 - 2012-08-09 14:34 - 00001205 ____A C:\Users\Thomas\Downloads\registryfix.reg
    2012-08-09 14:26 - 2012-01-04 14:43 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-09 14:23 - 2012-08-09 14:23 - 00407872 ____A C:\Users\Thomas\Downloads\pkiller.exe
    2012-08-09 14:23 - 2012-08-09 14:21 - 10288512 ____A (Microsoft Corporation) C:\Users\Thomas\Downloads\mseinstall.exe
    2012-08-09 14:17 - 2012-08-09 14:17 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Thomas\Downloads\SpyHunter-Installer.exe
    2012-08-09 13:55 - 2012-08-09 13:55 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Thomas\Downloads\rkill.exe
    2012-08-09 13:53 - 2010-08-10 12:20 - 00034096 ____A C:\Windows\PFRO.log
    2012-08-09 12:40 - 2012-08-09 12:40 - 00057344 ___AH (AhnLab, Inc.) C:\Windows\System32\exe2host.dll
    2012-08-07 16:20 - 2012-08-07 16:20 - 00012657 ____A C:\Users\Thomas\Documents\Ba-Le UH Order.xlsx
    2012-08-07 12:34 - 2012-08-07 12:34 - 00013650 ____A C:\Users\Thomas\Documents\Baker Hours.xlsx
    2012-08-07 10:37 - 2012-08-06 08:42 - 00062464 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 08-10-12 PAYROLL.xls
    2012-08-06 10:00 - 2010-09-18 12:49 - 00043382 ____A C:\Users\Thomas\Documents\LATOUR HOUR SUMMARY.xlsx
    2012-08-05 11:53 - 2010-10-05 08:33 - 00014752 ____A C:\Users\Thomas\Documents\Do Xang.xlsx
    2012-08-05 11:33 - 2012-02-03 15:16 - 00014326 ____A C:\Users\Thomas\Documents\Sales by Customer Summary.xlsx
    2012-08-04 17:01 - 2012-08-03 17:23 - 00275526 ____A C:\Users\Thomas\Documents\Tri1.xlsx
    2012-08-02 14:06 - 2012-07-29 09:52 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-02 14:06 - 2011-05-30 17:02 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-02 13:16 - 2012-06-29 10:40 - 00015179 ____A C:\Users\Thomas\Documents\Ba-Le Inc Sales Summary 2012.xlsx
    2012-07-29 13:22 - 2012-07-22 12:27 - 00061440 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 07-27-2012 PAYROLL.xls
    2012-07-27 11:57 - 2012-07-27 10:49 - 00013225 ____A C:\Users\Thomas\Documents\Form for Rodney.xlsx
    2012-07-23 11:15 - 2012-07-23 11:10 - 00060928 ____A C:\Users\Thomas\Downloads\PAYROLL SHEET FOR 07-13-2012 PAYROLL.xls
    2012-07-23 10:37 - 2012-07-22 11:19 - 00000568 ____A C:\Windows\System32\LexFiles.usr
    2012-07-19 13:58 - 2012-07-19 13:58 - 00012588 ____A C:\Users\Thomas\Documents\Puff On sales 6-12.xlsx
    2012-07-15 15:05 - 2012-07-15 15:05 - 00012731 ____A C:\Users\Thomas\Documents\Rush Order Form.xlsx
    2012-07-15 13:21 - 2012-07-15 13:21 - 00013003 ____A C:\Users\Thomas\Documents\production Form for Baker.xlsx
    2012-07-13 18:17 - 2011-04-25 17:02 - 186166408 ____A C:\Users\Thomas\Windows Xp Mode.vsv
    2012-07-13 18:17 - 2010-09-15 13:28 - 00014086 ____A C:\Users\Thomas\Windows Xp Mode.vmc
    2012-07-10 16:52 - 2012-07-10 13:53 - 00014801 ____A C:\Users\Thomas\Documents\Food Cost for Puff.xlsx
    2012-07-10 15:40 - 2012-07-10 15:40 - 00013682 ____A C:\Users\Thomas\Windows Xp Mode.vmc.vpcbackup
    2012-07-09 10:09 - 2012-07-08 11:44 - 00060928 ____A C:\Users\Thomas\Documents\PAYROLL SHEET FOR 07-13-2012 PAYROLL.xls
    2012-07-01 13:50 - 2010-10-04 12:17 - 00012899 ____A C:\Users\Thomas\Documents\Lunch Wagon.xlsx
    2012-06-29 10:26 - 2010-10-29 14:38 - 00013102 ____A C:\Users\Thomas\Documents\Mr Lam Form.xlsx
    2012-06-28 09:48 - 2010-09-27 17:25 - 00013430 ____A C:\Users\Thomas\Documents\Latour Vehicle.xlsx
    2012-06-24 16:09 - 2012-06-24 16:09 - 00024144 ____A C:\Users\Thomas\Documents\daoduckinh.txt
    2012-06-17 13:12 - 2012-06-15 16:13 - 00016577 ____A C:\Users\Thomas\Documents\Inventory 12312011.xlsx
    2012-06-17 12:11 - 2012-06-15 15:19 - 00014762 ____A C:\Users\Thomas\Documents\Accoune Receivable12312011.xlsx
    2012-06-15 15:10 - 2012-06-15 15:10 - 00014049 ____A C:\Users\Thomas\Documents\Accoune payable12312011.xlsx
    2012-06-15 15:00 - 2012-06-15 15:00 - 00013994 ____A C:\Users\Thomas\Documents\Accoune payable12312012.xlsx
    2012-06-11 11:52 - 2012-06-10 15:25 - 00030340 ____A C:\Users\Thomas\Documents\PAYROLL SHEET FOR 06-15-2012 PAYROLL.xlsx
    2012-06-10 12:40 - 2012-06-10 12:40 - 00005632 ____A C:\TransactionList.xls
    2012-06-07 11:50 - 2012-06-07 10:55 - 00015625 ____A C:\Users\Thomas\Documents\Sales At Ba-Le Inc1.xlsx
    2012-06-07 10:54 - 2011-11-04 14:21 - 00014398 ____A C:\Users\Thomas\Documents\Ba-Le Inc Sales Summary.xlsx
    2012-06-05 12:47 - 2012-06-05 12:29 - 00013412 ____A C:\Users\Thomas\Documents\Satnding Order for Market.xlsx
    2012-06-02 17:19 - 2012-06-20 23:32 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 17:12 - 2012-06-20 23:32 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 14:19 - 2012-06-20 23:32 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 23:32 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-20 23:32 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 23:32 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 23:32 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-20 23:32 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-20 23:32 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-05-29 10:21 - 2011-04-14 10:57 - 00001817 ____A C:\Users\Thomas\Desktop\H264Real.lnk
    2012-05-25 09:49 - 2011-03-15 09:31 - 00013141 ____A C:\Users\Thomas\Documents\Lavosh Sheet.xlsx
    2012-05-24 14:13 - 2012-05-24 14:13 - 00019543 ____A C:\Users\Thomas\Documents\Foodland the orther island deliver to C&S.xlsx
    2012-05-14 09:01 - 2012-05-13 11:24 - 00060928 ____A C:\Users\Thomas\Documents\PAYROLL SHEET FOR 05-18-2012 PAYROLL.xls


    ZeroAccess:
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff}
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff}\@
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff}\L
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff}\n
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff}\U

    ZeroAccess:
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff}
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff}\@
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff}\L
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff}\n
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 3036.8 MB
    Available physical RAM: 2584.11 MB
    Total Pagefile: 3035.08 MB
    Available Pagefile: 2587.63 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1956.7 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:139.58 GB) (Free:89.46 GB) NTFS
    7 Drive j: (M-S325) (Removable) (Total:7.45 GB) (Free:6.29 GB) FAT32
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    9 Drive y: (RECOVERY) (Fixed) (Total:9.39 GB) (Free:5.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 Online 7648 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 9 GB 40 MB
    Partition 3 Primary 139 GB 9 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 FAT Partition 39 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 139 GB Healthy

    ==================================================================================

    Partitions of Disk 5:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7647 MB 40 KB

    ==================================================================================

    Disk: 5
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 J M-S325 FAT32 Removable 7647 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-07 02:39

    ======================= End Of Log ==========================

    Search.txt:

    Farbar Recovery Scan Tool Version: 09-08-2012
    Ran by SYSTEM at 2012-08-09 15:16:40
    Running from J:\AV

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-08-09 17:08] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===



    Please help! Thank you.
  2. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Attached Files:

  3. Tim T

    Tim T Newcomer, in training Topic Starter

    Thank you for helping me.

    Here is the fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-08-2012
    Ran by SYSTEM at 2012-08-09 16:33:15 Run:1
    Running from J:\AV

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\Installer\{a86c0781-1163-a2ba-458a-60892fb0ddff} moved successfully.
    C:\Users\Thomas\AppData\Local\{a86c0781-1163-a2ba-458a-60892fb0ddff} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====


    Here is the log.txt from combofix:

    ComboFix 12-08-09.01 - Thomas 08/09/2012 16:39:04.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.2117 [GMT -10:00]
    Running from: I:\av\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
    c:\windows\system32\engine32.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-10 00:25 . 2012-08-10 02:4556200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{95B9AC1B-55AE-4664-A0F3-25B7908BBC47}\offreg.dll
    2012-08-09 23:17 . 2012-07-16 12:416891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{95B9AC1B-55AE-4664-A0F3-25B7908BBC47}\mpengine.dll
    2012-08-09 23:15 . 2012-08-09 23:15--------d-----w-C:\FRST
    2012-08-09 22:59 . 2012-02-10 00:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB21308C-D89D-4F18-8C64-1CBDD54EA529}\gapaengine.dll
    2012-08-09 22:26 . 2012-08-09 22:26--------d-----w-c:\program files\Microsoft Security Client
    2012-08-09 22:00 . 2012-08-09 22:00--------d-----w-c:\users\Thomas\AppData\Roaming\Malwarebytes
    2012-08-09 22:00 . 2012-08-09 22:00--------d-----w-c:\programdata\Malwarebytes
    2012-08-09 22:00 . 2010-12-21 04:0938224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
    2012-08-09 22:00 . 2012-08-09 22:00--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-08-09 22:00 . 2010-12-21 04:0820952----a-w-c:\windows\system32\drivers\mbam.sys
    2012-08-09 20:43 . 2012-08-09 20:43--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-08-09 20:41 . 2012-08-09 20:43--------d-----w-c:\programdata\036DFF85031355ACEEDADB1C4F147CE7
    2012-08-09 20:40 . 2012-08-09 20:4057344---ha-w-c:\windows\system32\exe2host.dll
    2012-07-29 18:38 . 2012-07-29 18:38--------d-----w-c:\users\Thomas\AppData\Local\Macromedia
    2012-07-29 17:52 . 2012-08-02 22:06426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-02 22:06 . 2011-05-31 01:0270344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-03 01:19 . 2012-06-21 07:32171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-03 01:12 . 2012-06-21 07:3233792----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 22:19 . 2012-06-21 07:3253784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 07:3245080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 07:3235864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 07:32577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 07:321933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 07:322422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 07:3288576----a-w-c:\windows\system32\wudriver.dll
    2012-05-30 07:17 . 2012-05-30 07:17163048----a-w-c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
    2012-07-20 01:02 . 2011-04-22 16:26136672----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-19 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    RealTime Communications.lnk - c:\rt3\RTComm.exe [2010-9-17 1515520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]
    S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-10 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-29 22:06]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/a/ba-le.com/...&bsv=1eic6yu9oa4y3&ltmpl=default&ltmplcache=2
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles\tlki5w77.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-09 16:52:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-10 02:52
    .
    Pre-Run: 96,767,713,280 bytes free
    Post-Run: 96,475,025,408 bytes free
    .
    - - End Of File - - 6C7072569EB394AA200B820D4B94CC84


    It had told me that my real time protection was running even though it was turned off. Should I uninstall, restart and try again?
  4. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    You're fine.

    Please always follow all of my instructions.
    Move Combofix file to your desktop.

    ================================

    Combofix log looks good :)

    Any current issues?

    ==================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  5. Tim T

    Tim T Newcomer, in training Topic Starter

    Sorry about that, I had to download it from a different computer and I missed the move to desktop step.

    None of the previous symptoms are present. Running the MWB now, will run OTL once it is done. (http://www.itxassociates.com/OT-Tools/OTL.exe link seems to be broken)

    Have to leave work now, but I will post the logs tomorrow when I get back. Thank you SO MUCH for you assistance and guidance, I sent you a tip over paypal. I really appreciate what you do to help people.
  6. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    No problem :)
  7. Broni

    Broni Malware Annihilator Posts: 45,317   +243

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.