TechSpot

[A] Win64/Sirefef.B infected

Inactive
By Vicious_Pucca
Jul 4, 2012
  1. here is logs

    Scan result of Farbar Recovery Scan Tool Version: 04-07-2012
    Ran by SYSTEM at 04-07-2012 03:42:34
    Running from G:\
    Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)
    HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12681320 2011-08-26] (Realtek Semiconductor)
    HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-10-17] (Intel Corporation)
    HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKU\Holly\...\Run: [Google Update] "C:\Users\Holly\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-08-31] (Google Inc.)
    HKU\Holly\...\Run: [Steam] "D:\Steam\steam.exe" -silent [x]
    HKU\Holly\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
    HKU\Holly\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia)
    Startup: C:\Users\Holly\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\Holly\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ======

    2 HDHomeRun Service; "C:\Program Files\Silicondust\HDHomeRun\hdhomerun_service.exe" [16384 2012-01-24] (Silicondust USA Inc)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    2 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [994360 2011-10-13] (Secunia)
    2 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [399416 2011-10-13] (Secunia)
    3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-05] (Microsoft Corporation)
    3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-05] (Microsoft Corporation)
    3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-05] (Microsoft Corporation)

    ========================== Drivers (Whitelisted) =============


    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-04 02:36 - 2012-07-04 02:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED3975562D8694A6
    2012-07-04 02:36 - 2012-07-04 02:36 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lydjiofb.sys
    2012-07-04 02:31 - 2012-07-04 02:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.89079F05A30903AC
    2012-07-04 02:25 - 2012-07-04 02:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FD2C5DFC06739618
    2012-07-04 02:20 - 2012-07-04 02:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0640F48457E03347
    2012-07-04 02:18 - 2012-07-04 02:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-04 02:18 - 2012-07-04 02:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-03 23:17 - 2012-07-03 23:18 - 00000000 ____D C:\Users\Holly\AppData\Local\{DB16CFF1-6124-41C7-A4DF-47D3B1633F81}
    2012-07-03 23:17 - 2012-07-03 23:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{8565E22B-A0B7-4A56-B7A4-BDB167514181}
    2012-07-03 11:17 - 2012-07-03 11:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{F1C61E29-547A-42C5-AB64-4C89FB0A86E6}
    2012-07-03 11:17 - 2012-07-03 11:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{00273D10-5129-4ACD-9700-790328F53E84}
    2012-07-02 22:00 - 2012-07-02 22:00 - 00000000 ____D C:\Users\Holly\AppData\Local\{90256B64-9D80-46BD-BF5E-602BBBE4F536}
    2012-07-02 21:59 - 2012-07-02 22:00 - 00000000 ____D C:\Users\Holly\AppData\Local\{89C1A973-49CE-4713-890C-D5B60B9967F8}
    2012-07-02 00:17 - 2012-07-02 00:18 - 00000000 ____D C:\Users\Holly\AppData\Local\{B1737C4D-C837-4BAD-81B1-597CC4C51F16}
    2012-07-02 00:17 - 2012-07-02 00:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{26B383C3-3503-44C5-9BB7-A9AF2287E138}
    2012-07-01 12:17 - 2012-07-01 12:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{BE4F39AA-1547-409E-A298-AF6FB837CAE1}
    2012-07-01 12:17 - 2012-07-01 12:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{36917960-AEDC-48AC-8F1D-7A81043FD533}
    2012-07-01 11:05 - 2012-07-01 11:05 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-01 00:17 - 2012-07-01 00:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{E63D0DC9-0227-496B-AD6E-089A02CA072B}
    2012-07-01 00:16 - 2012-07-01 00:17 - 00000000 ____D C:\Users\Holly\AppData\Local\{DE4A6E88-5646-41EF-BAAB-A1BF8C3D9A76}
    2012-06-30 12:16 - 2012-06-30 12:16 - 00000000 ____D C:\Users\Holly\AppData\Local\{54227156-1CDC-4C3B-B4EF-E645B8DB3470}
    2012-06-30 12:16 - 2012-06-30 12:16 - 00000000 ____D C:\Users\Holly\AppData\Local\{470E4E7D-25FB-48C2-A003-19A6AC56B86E}
    2012-06-30 00:16 - 2012-06-30 00:16 - 00000000 ____D C:\Users\Holly\AppData\Local\{E353A106-7FBA-4A56-B164-B8C13381EE3B}
    2012-06-30 00:16 - 2012-06-30 00:16 - 00000000 ____D C:\Users\Holly\AppData\Local\{4AF1D9EA-C151-41EA-9DC7-8F7AFAB92276}
    2012-06-29 05:57 - 2012-06-29 05:57 - 00000000 ____D C:\Users\Holly\AppData\Local\{A9646D8E-8B34-4F9D-91A3-FBB0AD8E68EC}
    2012-06-29 05:57 - 2012-06-29 05:57 - 00000000 ____D C:\Users\Holly\AppData\Local\{9D8B4A4E-FCA6-4CDE-AC0C-00B941380123}
    2012-06-28 17:28 - 2012-06-28 17:28 - 00000000 ____D C:\Users\Holly\AppData\Local\{FDF231A8-DF4E-4914-B379-508F8A0606EE}
    2012-06-28 17:28 - 2012-06-28 17:28 - 00000000 ____D C:\Users\Holly\AppData\Local\{4A945B45-63F7-47ED-BAF3-466A4440B5D7}
    2012-06-28 17:28 - 2012-06-28 17:28 - 00000000 ____D C:\Users\Holly\AppData\Local\{29144434-049B-44DA-A8B8-0CFC8B19657E}
    2012-06-28 17:27 - 2012-06-28 17:28 - 00000000 ____D C:\Users\Holly\AppData\Local\{80B34D4C-2211-4531-8C70-BE77E441EB7D}
    2012-06-27 23:10 - 2012-06-27 23:10 - 00000000 ____D C:\Users\Holly\AppData\Local\{F0EDCF65-72C8-40A7-8C84-B1A449A64800}
    2012-06-27 23:10 - 2012-06-27 23:10 - 00000000 ____D C:\Users\Holly\AppData\Local\{18585ED9-5A4C-4159-8A68-5F07285E53E3}
    2012-06-27 04:07 - 2012-06-27 04:07 - 00000000 ____D C:\Users\Holly\AppData\Local\{B8F884E5-F8B7-4116-BCFE-DD835CD497BE}
    2012-06-27 04:07 - 2012-06-27 04:07 - 00000000 ____D C:\Users\Holly\AppData\Local\{51C1AEE1-D4A1-4698-9942-55A190453A15}
    2012-06-26 16:06 - 2012-06-26 16:07 - 00000000 ____D C:\Users\Holly\AppData\Local\{EFCF70CD-C7F1-43C5-8D3D-A0BEED409FE0}
    2012-06-26 16:06 - 2012-06-26 16:06 - 00000000 ____D C:\Users\Holly\AppData\Local\{7BBBD32A-0C67-4BE0-827E-70107E4705D0}
    2012-06-26 03:36 - 2012-06-26 03:36 - 00000000 ____D C:\Users\Holly\AppData\Local\{C3DC4CA4-177D-4282-95BA-1C09749EBB18}
    2012-06-26 03:36 - 2012-06-26 03:36 - 00000000 ____D C:\Users\Holly\AppData\Local\{4791EAFF-0FEA-4CE9-82A0-D593BE790DFB}
    2012-06-25 13:42 - 2012-06-25 13:42 - 00000000 ____D C:\Users\Holly\AppData\Local\{F7DD4135-41F4-4094-9955-1C71D9B006EC}
    2012-06-25 13:42 - 2012-06-25 13:42 - 00000000 ____D C:\Users\Holly\AppData\Local\{E83969BA-DA14-4B51-9815-9B39A274199F}
    2012-06-25 01:42 - 2012-06-25 01:42 - 00000000 ____D C:\Users\Holly\AppData\Local\{FF81E31E-F139-445B-99A1-D2C2090F03ED}
    2012-06-25 01:42 - 2012-06-25 01:42 - 00000000 ____D C:\Users\Holly\AppData\Local\{EAABA5AF-488B-46B6-BACA-60DC1E0994A7}
    2012-06-24 13:41 - 2012-06-24 13:42 - 00000000 ____D C:\Users\Holly\AppData\Local\{3AB25600-7692-4035-84D1-0BDECE421CC8}
    2012-06-24 13:41 - 2012-06-24 13:41 - 00000000 ____D C:\Users\Holly\AppData\Local\{01FC28B3-85A5-4F7E-A03A-7C3F6D794494}
    2012-06-24 01:41 - 2012-06-24 01:41 - 00000000 ____D C:\Users\Holly\AppData\Local\{86004FCA-9213-47D2-8F70-674C0A08CF00}
    2012-06-24 01:41 - 2012-06-24 01:41 - 00000000 ____D C:\Users\Holly\AppData\Local\{2BA1ADF7-0375-42A8-B845-3E0918C07FE9}
    2012-06-23 13:41 - 2012-06-23 13:41 - 00000000 ____D C:\Users\Holly\AppData\Local\{9DDD2F00-84DD-40C4-8992-B68B8D6C1643}
    2012-06-23 13:41 - 2012-06-23 13:41 - 00000000 ____D C:\Users\Holly\AppData\Local\{32351DE6-2221-424C-A87D-A4762C6F7200}
    2012-06-23 13:32 - 2012-06-23 13:32 - 00000000 ____D C:\Windows\en
    2012-06-23 13:31 - 2012-03-08 17:40 - 00048488 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fssfltr.sys
    2012-06-23 13:29 - 2012-06-23 13:29 - 00000000 ____D C:\Users\Holly\AppData\Local\{60A89960-33B5-4CCC-B135-82D196132E67}
    2012-06-23 13:28 - 2012-06-23 13:29 - 00000000 ____D C:\Users\Holly\AppData\Local\{250DCBC1-F832-4CF5-86D8-379B71DD795E}
    2012-06-21 09:54 - 2012-06-21 09:54 - 00000000 ____D C:\Users\Holly\AppData\Local\{8B215CAE-C0FE-48C1-8225-1387B0CE3457}
    2012-06-21 09:53 - 2012-06-21 09:54 - 00000000 ____D C:\Users\Holly\AppData\Local\{1A22C773-D50F-4297-9096-4E9396B2FA05}
    2012-06-13 01:07 - 2012-06-13 01:07 - 00000000 ____D C:\Users\Holly\AppData\Local\Macromedia
    2012-06-13 01:06 - 2012-06-13 01:06 - 00000000 ____D C:\Users\Holly\AppData\Local\{B4FA54DD-FAF8-4951-98CE-90342E1F5896}
    2012-06-13 01:06 - 2012-06-13 01:06 - 00000000 ____D C:\Users\Holly\AppData\Local\{21247DE5-1FE0-4ED6-94BB-33CBB5C45418}
    2012-06-13 00:24 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-13 00:24 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-13 00:24 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-13 00:24 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-13 00:24 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-13 00:24 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-13 00:24 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-13 00:24 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-13 00:24 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-13 00:24 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-13 00:24 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-13 00:24 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-13 00:24 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-13 00:24 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-13 00:24 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-13 00:24 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-13 00:24 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-13 00:24 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-13 00:24 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-13 00:24 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-13 00:24 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-13 00:24 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-13 00:24 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-13 00:24 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-13 00:24 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-13 00:24 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-13 00:24 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-13 00:24 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-12 17:52 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 17:52 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-12 17:52 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-12 17:52 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-12 17:52 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-12 17:52 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-12 17:52 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-12 17:52 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-12 17:52 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-12 17:52 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-12 17:52 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-12 17:52 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-12 17:52 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-06-12 17:52 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-06-12 17:52 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-06-12 17:52 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-12 17:52 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
    2012-06-08 21:18 - 2012-06-08 21:18 - 00000000 ____D C:\Users\Holly\AppData\Local\{8D336FCE-A12C-4367-897F-CA32E8A32C13}
    2012-06-08 21:18 - 2012-06-08 21:18 - 00000000 ____D C:\Users\Holly\AppData\Local\{22DE7116-F949-41B9-A4F9-A3306EB7ED58}
    2012-06-08 15:04 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-08 15:04 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-08 15:04 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-08 15:04 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-08 15:04 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-08 15:04 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-08 15:04 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-08 15:04 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-08 15:04 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-05 13:19 - 2012-06-05 13:19 - 00000000 ____D C:\Users\Holly\AppData\Local\{A8B7F645-45B8-403A-A202-9FB47265EF4C}
    2012-06-05 13:19 - 2012-06-05 13:19 - 00000000 ____D C:\Users\Holly\AppData\Local\{6DBA397B-12E4-4A31-8241-43A73ACF9F9D}


    ============ 3 Months Modified Files ========================

    2012-07-04 02:36 - 2012-07-04 02:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ED3975562D8694A6
    2012-07-04 02:36 - 2012-07-04 02:36 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lydjiofb.sys
    2012-07-04 02:33 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-04 02:33 - 2009-07-13 20:51 - 00047997 ____A C:\Windows\setupact.log
    2012-07-04 02:31 - 2012-07-04 02:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.89079F05A30903AC
    2012-07-04 02:25 - 2012-07-04 02:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FD2C5DFC06739618
    2012-07-04 02:20 - 2012-07-04 02:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0640F48457E03347
    2012-07-04 02:18 - 2011-11-17 20:43 - 00743364 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-04 02:18 - 2011-11-17 20:43 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-04 02:18 - 2011-11-17 20:00 - 01434718 ____A C:\Windows\WindowsUpdate.log
    2012-07-04 02:00 - 2011-11-17 20:24 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2767502511-4000916676-2294614798-1000UA.job
    2012-07-04 01:27 - 2012-04-11 17:59 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-03 17:58 - 2011-11-17 20:24 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2767502511-4000916676-2294614798-1000Core.job
    2012-07-01 11:02 - 2012-04-11 17:59 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-01 11:02 - 2011-11-17 20:24 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-24 10:05 - 2009-07-13 20:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-06-24 10:05 - 2009-07-13 20:45 - 00020704 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-23 13:31 - 2011-11-24 12:23 - 00059620 ____A C:\Windows\DirectX.log
    2012-06-23 13:27 - 2009-07-13 21:13 - 00729880 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-13 01:05 - 2009-07-13 20:45 - 04905776 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-13 00:28 - 2011-11-17 20:59 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-02 14:19 - 2012-06-08 15:04 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-08 15:04 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-08 15:04 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-08 15:04 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-08 15:04 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-08 15:04 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-08 15:04 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-08 15:04 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:15 - 2012-06-08 15:04 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-17 18:47 - 2012-06-13 00:24 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-13 00:24 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-13 00:24 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-13 00:24 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-13 00:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-13 00:24 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-13 00:24 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-13 00:24 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-13 00:24 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-13 00:24 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-13 00:24 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-13 00:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-13 00:24 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-13 00:24 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-13 00:24 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-13 00:24 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-13 00:24 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-13 00:24 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-13 00:24 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-13 00:24 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-13 00:24 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-13 00:24 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-13 00:24 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-13 00:24 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-13 00:24 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-13 00:24 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-13 00:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-13 00:24 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-16 01:45 - 2012-05-16 01:29 - 00000692 ____A C:\Users\Public\Desktop\StarCraft II.lnk
    2012-05-14 17:32 - 2012-06-12 17:52 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-14 09:59 - 2012-05-14 09:52 - 00000788 ____A C:\Users\Public\Desktop\Diablo III.lnk
    2012-05-10 22:10 - 2010-11-20 19:47 - 00030230 ____A C:\Windows\PFRO.log
    2012-05-05 15:01 - 2012-05-05 15:02 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
    2012-05-05 15:01 - 2012-05-05 15:02 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
    2012-05-05 15:01 - 2012-05-05 15:02 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
    2012-05-05 15:01 - 2012-05-05 15:02 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
    2012-05-05 15:01 - 2011-11-17 20:25 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
    2012-05-04 03:06 - 2012-06-12 17:52 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-12 17:52 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-12 17:52 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-04-30 21:40 - 2012-06-12 17:52 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:55 - 2012-06-12 17:52 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 21:41 - 2012-06-12 17:52 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-12 17:52 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-12 17:52 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-23 21:37 - 2012-06-12 17:52 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 21:37 - 2012-06-12 17:52 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 21:37 - 2012-06-12 17:52 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-23 20:36 - 2012-06-12 17:52 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
    2012-04-23 20:36 - 2012-06-12 17:52 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-12 17:52 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
    2012-04-07 04:31 - 2012-06-12 17:52 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-04-07 03:26 - 2012-06-12 17:52 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll


    ZeroAccess:
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\@
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\L
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\n
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\U
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\U\00000001.@
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\U\80000000.@
    C:\Windows\Installer\{2d43297e-050d-f8c7-23e8-42615d3471e2}\U\800000cb.@

    ZeroAccess:
    C:\Users\Holly\AppData\Local\{2d43297e-050d-f8c7-23e8-42615d3471e2}
    C:\Users\Holly\AppData\Local\{2d43297e-050d-f8c7-23e8-42615d3471e2}\@
    C:\Users\Holly\AppData\Local\{2d43297e-050d-f8c7-23e8-42615d3471e2}\L
    C:\Users\Holly\AppData\Local\{2d43297e-050d-f8c7-23e8-42615d3471e2}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 11%
    Total physical RAM: 6142.3 MB
    Available physical RAM: 5431.73 MB
    Total Pagefile: 6140.5 MB
    Available Pagefile: 5428.28 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.88 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:111.69 GB) (Free:39.19 GB) NTFS
    3 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (SC2-L100-D1) (CDROM) (Total:6.99 GB) (Free:0 GB) UDF
    5 Drive g: () (Removable) (Total:29.87 GB) (Free:29.87 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: () (Fixed) (Total:297.99 GB) (Free:58.37 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 100 MB
    Disk 1 Online 111 GB 0 B
    Disk 2 Online 29 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 297 GB 101 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y NTFS Partition 297 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 111 GB 101 MB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 1
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 111 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 29 GB 1024 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT32 Removable 29 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-06-28 08:02

    ======================= End Of Log ==========================
     
  2. Vicious_Pucca

    Vicious_Pucca TS Rookie Topic Starter

    Farbar Recovery Scan Tool Version: 04-07-2012
    Ran by SYSTEM at 2012-07-04 03:46:51
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
     
  3. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.