Need help removing sirefef.y

Inactive
By michielkromhout
Sep 26, 2012
Topic Status:
Not open for further replies.
  1. It seems like this sirefef.y virus is on my PC. It reboots after 1 minute when I run MSEssentials.
    Below the output from the FRST64.EXE program.
    Hope someone can help...

    grtz,
    Michiel

    FRST.TXT
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-09-2012
    Ran by SYSTEM at 26-09-2012 15:49:50
    Running from F:\
    Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-06] (IDT, Inc.)
    HKLM\...\Run: [IntelPROSet] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless [1934608 2010-12-23] (Intel(R) Corporation)
    HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
    HKLM\...\Run: [DFEPApplication] c:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077272 2011-08-24] (Dell Inc.)
    HKLM\...\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [257392 2011-05-27] (Wave Systems Corp.)
    HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-09-26] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
    HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [112408 2011-08-08] (Intel Corporation)
    HKLM-x32\...\Run: [DT DEL] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -DEL [121648 2011-10-13] (Portrait Displays, Inc.)
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [462993 2010-03-12] (Creative Technology Ltd)
    HKLM-x32\...\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2010-10-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-09-17] (CyberLink Corp.)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
    HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Sitecom Control Center] C:\Program Files (x86)\Sitecom\MFP Server Control Center\Control Center.exe -mini [3342336 2011-10-06] ()
    HKU\admin\...\Run: [Google Update] "C:\Users\admin\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-19] (Google Inc.)
    HKU\admin\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17355912 2012-05-02] (Skype Technologies S.A.)
    HKU\admin\...\Run: [Facebook Update] "C:\Users\admin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-09-25] (Facebook Inc.)
    HKU\admin\...\Run: [Spotify Web Helper] "C:\Users\admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1193176 2012-09-26] ()
    Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
    Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
    Lsa: [Authentication Packages] msv1_0 wvauth
    Startup: C:\Users\admin\Start Menu\Programs\Startup\Facebook Messenger.lnk
    ShortcutTarget: Facebook Messenger.lnk -> (No File)
    Startup: C:\Users\admin\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
    ShortcutTarget: Logitech . Product Registration.lnk -> C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe (Leader Technologies/Logitech)
    Startup: C:\Users\admin\Start Menu\Programs\Startup\Smart Settings.lnk
    ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Smart Settings.lnk
    ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Smart Settings.lnk
    ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)

    ==================== Services (Whitelisted) ===================

    2 DFEPService; "C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe" [2279320 2011-08-24] (Dell Inc.)
    2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-10-13] (Portrait Displays, Inc.)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    2 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
    2 tcsd_win32.exe; "C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1633280 2011-02-17] ()
    2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1600000 2011-07-01] (Wave Systems Corp.)
    2 ZcfgSvc7; C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe [992256 2010-12-23] (Intel(R) Corporation)
    3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

    ==================== Drivers (Whitelisted) =====================

    3 cpudrv64; \??\C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [17864 2011-06-02] ()
    3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
    3 HBtnKey; C:\Windows\System32\Drivers\HBtnKey.sys [20424 2011-07-19] (Dell Inc.)
    3 KUSBusByTCP; C:\Windows\SysWow64\Drivers\KUSBusByTCP.sys [170080 2011-10-26] (Windows (R) Codename Longhorn DDK provider)
    3 KUSBusByTCPMasterBus; C:\Windows\SysWow64\Drivers\KUSBusByTCPMasterBus.sys [100448 2011-10-28] (Windows (R) Codename Longhorn DDK provider)
    2 NPF; C:\Windows\System32\Drivers\NPF.sys [35344 2010-06-25] (CACE Technologies, Inc.)

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-09-26 15:49 - 2012-09-26 15:49 - 00000000 ____D C:\FRST
    2012-09-26 05:37 - 2012-09-26 05:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AA15DE1443876695
    2012-09-26 05:37 - 2012-09-26 05:37 - 00266915 ____A C:\Users\admin\Downloads\Unconfirmed 888677.crdownload
    2012-09-26 05:37 - 2012-09-26 05:37 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ppjwhvto.sys
    2012-09-26 05:36 - 2012-09-26 05:37 - 01455249 ____A (Farbar) C:\Users\admin\Downloads\FRST64.exe
    2012-09-26 05:33 - 2012-09-26 05:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05CD13EE43C6BD65
    2012-09-26 05:30 - 2012-09-26 05:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0BAE55063F8D5FC7
    2012-09-26 05:27 - 2012-09-26 05:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A9EA5D120560EF04
    2012-09-26 05:23 - 2012-09-26 05:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.77017AB7498BD2D5
    2012-09-26 05:19 - 2012-09-26 05:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.696443B502715698
    2012-09-26 05:15 - 2012-09-26 05:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0581E252715DA58F
    2012-09-26 05:12 - 2012-09-26 05:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.44D1D2A0878006BE
    2012-09-26 05:09 - 2012-09-26 05:10 - 00488675 ____A C:\Users\admin\Downloads\Unconfirmed 655930.crdownload
    2012-09-26 05:08 - 2012-09-26 05:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.61120392ED8835E0
    2012-09-26 05:05 - 2012-09-26 05:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.51AC7D335105785F
    2012-09-26 05:01 - 2012-09-26 05:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3BFE009ECD62FA70
    2012-09-26 04:56 - 2012-09-26 04:56 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-26 04:56 - 2012-09-26 04:56 - 00000000 ____D C:\Windows\System32\appmgmt
    2012-09-26 04:56 - 2012-09-26 04:56 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-26 04:56 - 2012-09-26 04:56 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-09-26 04:53 - 2012-09-26 04:53 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
    2012-09-26 04:47 - 2012-09-26 05:04 - 00000000 ____D C:\Users\admin\AppData\Roaming\Spotify
    2012-09-26 04:47 - 2012-09-26 05:04 - 00000000 ____D C:\Users\admin\AppData\Local\Spotify
    2012-09-26 04:47 - 2012-09-26 04:47 - 00001808 ____A C:\Users\admin\Desktop\Spotify.lnk
    2012-09-26 04:38 - 2012-09-26 04:38 - 15646104 ____A (Foxit Corporation ) C:\Users\admin\Downloads\FoxitReader542.0901_enu_Setup.exe
    2012-09-26 04:38 - 2012-09-26 04:38 - 00001153 ____A C:\Users\Public\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
    2012-09-26 04:38 - 2012-09-26 04:38 - 00000000 ____D C:\Users\admin\AppData\Roaming\PrimoPDF
    2012-09-26 04:38 - 2012-09-26 04:38 - 00000000 ____D C:\Program Files (x86)\Nitro PDF
    2012-09-26 04:38 - 2011-02-28 14:37 - 00095008 ____A C:\Windows\System32\Primomonnt.dll
    2012-09-26 04:37 - 2012-09-26 04:37 - 07549704 ____A C:\Users\admin\Downloads\InternationalPrimoPDF.exe
    2012-09-26 04:27 - 2012-09-26 04:27 - 00001138 ____A C:\Users\Public\Desktop\Paint.NET.lnk
    2012-09-26 04:27 - 2012-09-26 04:27 - 00000000 ____D C:\Users\admin\AppData\Local\Paint.NET
    2012-09-26 04:27 - 2012-09-26 04:27 - 00000000 ____D C:\Program Files\Paint.NET
    2012-09-26 04:25 - 2012-09-26 04:25 - 03730109 ____A C:\Users\admin\Downloads\Paint.NET.3.5.10.Install.zip
    2012-09-26 04:24 - 2012-09-26 04:24 - 00162120 ____A () C:\Users\admin\Downloads\7ZipSetup.exe
    2012-09-25 11:43 - 2012-09-26 05:36 - 00004926 ____A C:\Windows\SysWOW64\debug.log
    2012-09-25 11:43 - 2012-09-26 04:17 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000UA.job
    2012-09-25 11:43 - 2012-09-25 11:48 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000Core.job
    2012-09-25 11:43 - 2012-09-25 11:43 - 00501240 ____A (Facebook Inc.) C:\Users\admin\Downloads\FacebookMessengerSetup_v1.2.205.0.exe
    2012-09-25 11:43 - 2012-09-25 11:43 - 00000000 ____D C:\Users\admin\AppData\Local\Facebook
    2012-09-23 07:23 - 2010-11-23 20:08 - 00142752 ____A C:\Users\admin\Downloads\CSchoolGirlsIntl.tt
    2012-09-23 07:17 - 2012-09-23 07:17 - 00001094 ____A C:\Users\Public\Desktop\Sitecom Control Center.lnk
    2012-09-23 07:17 - 2012-09-23 07:17 - 00000000 ____D C:\Program Files (x86)\Sitecom
    2012-09-23 06:33 - 2012-09-23 06:33 - 00094934 ____A C:\Users\admin\Documents\katja-diploma.xps
    2012-09-05 02:32 - 2012-09-05 02:33 - 00000000 ____D C:\Program Files\Logitech
    2012-09-05 02:31 - 2012-09-05 02:31 - 00000000 ____D C:\Users\admin\AppData\Roaming\Leadertech
    2012-09-05 02:30 - 2012-09-05 02:33 - 00016893 ____A C:\Windows\LDPINST.LOG
    2012-09-05 02:30 - 2012-09-05 02:33 - 00000000 ____D C:\Users\All Users\Logishrd
    2012-09-05 02:30 - 2012-09-05 02:33 - 00000000 ____D C:\Program Files\Common Files\LogiShrd
    2012-09-05 02:30 - 2012-09-05 02:31 - 00000000 ____D C:\Users\Public\Documents\LogiShrd
    2012-09-05 02:29 - 2012-09-05 02:31 - 00000000 ____D C:\Users\admin\AppData\Roaming\Logitech
    2012-09-05 02:29 - 2012-09-05 02:29 - 27941800 ____A (Logitech Inc.) C:\Users\admin\Downloads\setpoint632_x64.exe
    2012-09-05 02:29 - 2012-09-05 02:29 - 02414672 ____A (Logitech Inc.) C:\Users\admin\Downloads\setpoint632_smart.exe
    2012-09-05 02:29 - 2012-09-05 02:29 - 00000000 ____D C:\Users\admin\AppData\Roaming\Logishrd
    2012-08-30 16:04 - 2012-09-26 05:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-30 16:04 - 2012-08-30 16:04 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-30 12:03 - 2012-08-30 12:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 12:03 - 2012-08-30 12:03 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

    ==================== 3 Months Modified Files ==================

    2012-09-26 05:37 - 2012-09-26 05:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AA15DE1443876695
    2012-09-26 05:37 - 2012-09-26 05:37 - 00266915 ____A C:\Users\admin\Downloads\Unconfirmed 888677.crdownload
    2012-09-26 05:37 - 2012-09-26 05:37 - 00049872 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ppjwhvto.sys
    2012-09-26 05:37 - 2012-09-26 05:36 - 01455249 ____A (Farbar) C:\Users\admin\Downloads\FRST64.exe
    2012-09-26 05:36 - 2012-09-25 11:43 - 00004926 ____A C:\Windows\SysWOW64\debug.log
    2012-09-26 05:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-26 05:35 - 2009-07-13 20:51 - 00044156 ____A C:\Windows\setupact.log
    2012-09-26 05:34 - 2009-07-13 21:13 - 00778660 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-26 05:33 - 2012-09-26 05:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05CD13EE43C6BD65
    2012-09-26 05:30 - 2012-09-26 05:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0BAE55063F8D5FC7
    2012-09-26 05:27 - 2012-09-26 05:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A9EA5D120560EF04
    2012-09-26 05:23 - 2012-09-26 05:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.77017AB7498BD2D5
    2012-09-26 05:19 - 2012-09-26 05:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.696443B502715698
    2012-09-26 05:18 - 2012-08-30 16:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-09-26 05:15 - 2012-09-26 05:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0581E252715DA58F
    2012-09-26 05:12 - 2012-09-26 05:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.44D1D2A0878006BE
    2012-09-26 05:10 - 2012-09-26 05:09 - 00488675 ____A C:\Users\admin\Downloads\Unconfirmed 655930.crdownload
    2012-09-26 05:08 - 2012-09-26 05:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.61120392ED8835E0
    2012-09-26 05:08 - 2012-01-19 01:22 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000UA.job
    2012-09-26 05:05 - 2012-09-26 05:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.51AC7D335105785F
    2012-09-26 05:05 - 2011-12-28 13:51 - 01256108 ____A C:\Windows\WindowsUpdate.log
    2012-09-26 05:01 - 2012-09-26 05:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3BFE009ECD62FA70
    2012-09-26 04:56 - 2012-09-26 04:56 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-26 04:53 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-26 04:53 - 2009-07-13 20:45 - 00021312 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-26 04:47 - 2012-09-26 04:47 - 00001808 ____A C:\Users\admin\Desktop\Spotify.lnk
    2012-09-26 04:38 - 2012-09-26 04:38 - 15646104 ____A (Foxit Corporation ) C:\Users\admin\Downloads\FoxitReader542.0901_enu_Setup.exe
    2012-09-26 04:38 - 2012-09-26 04:38 - 00001153 ____A C:\Users\Public\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
    2012-09-26 04:38 - 2011-02-09 20:03 - 00000326 ____A C:\Windows\primopdf.ini
    2012-09-26 04:37 - 2012-09-26 04:37 - 07549704 ____A C:\Users\admin\Downloads\InternationalPrimoPDF.exe
    2012-09-26 04:27 - 2012-09-26 04:27 - 00001138 ____A C:\Users\Public\Desktop\Paint.NET.lnk
    2012-09-26 04:25 - 2012-09-26 04:25 - 03730109 ____A C:\Users\admin\Downloads\Paint.NET.3.5.10.Install.zip
    2012-09-26 04:24 - 2012-09-26 04:24 - 00162120 ____A () C:\Users\admin\Downloads\7ZipSetup.exe
    2012-09-26 04:17 - 2012-09-25 11:43 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000UA.job
    2012-09-25 11:48 - 2012-09-25 11:43 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000Core.job
    2012-09-25 11:44 - 2012-01-19 01:22 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3859089683-2020833615-443191747-1000Core.job
    2012-09-25 11:43 - 2012-09-25 11:43 - 00501240 ____A (Facebook Inc.) C:\Users\admin\Downloads\FacebookMessengerSetup_v1.2.205.0.exe
    2012-09-23 07:17 - 2012-09-23 07:17 - 00001094 ____A C:\Users\Public\Desktop\Sitecom Control Center.lnk
    2012-09-23 06:33 - 2012-09-23 06:33 - 00094934 ____A C:\Users\admin\Documents\katja-diploma.xps
    2012-09-05 02:33 - 2012-09-05 02:30 - 00016893 ____A C:\Windows\LDPINST.LOG
    2012-09-05 02:29 - 2012-09-05 02:29 - 27941800 ____A (Logitech Inc.) C:\Users\admin\Downloads\setpoint632_x64.exe
    2012-09-05 02:29 - 2012-09-05 02:29 - 02414672 ____A (Logitech Inc.) C:\Users\admin\Downloads\setpoint632_smart.exe
    2012-09-05 01:34 - 2010-11-20 19:47 - 00014342 ____A C:\Windows\PFRO.log
    2012-09-01 09:34 - 2012-01-19 01:23 - 00002413 ____A C:\Users\admin\Desktop\Google Chrome.lnk
    2012-08-30 16:04 - 2012-08-30 16:04 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-30 16:04 - 2011-12-28 13:52 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-30 12:03 - 2012-08-30 12:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 12:03 - 2012-08-30 12:03 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-08-07 06:18 - 2010-11-20 19:27 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-07-31 13:37 - 2012-07-31 13:37 - 00001108 ____A C:\Users\Public\Desktop\Picasa 3.lnk
    2012-07-29 11:31 - 2012-07-29 11:30 - 15267728 ____A (Google Inc.) C:\Users\admin\Downloads\picasa39-setup.exe
    2012-07-29 11:30 - 2012-07-29 11:30 - 01086488 ____A (TGRMN Software ) C:\Users\admin\Downloads\BRU_Setup_WinNTx64.exe
    2012-07-28 14:26 - 2012-07-26 14:30 - 02179784 ____A C:\Users\admin\Documents\eros.txt
    2012-07-27 13:28 - 2012-07-27 13:28 - 05834660 ____A C:\Users\admin\Downloads\tinnitus (1).zip
    2012-07-27 13:28 - 2012-07-27 13:28 - 00000000 ____A C:\Users\admin\Downloads\tinnitus.zip.crdownload
    2012-07-27 13:23 - 2012-07-27 13:23 - 00000962 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk
    2012-07-27 13:22 - 2012-07-27 13:20 - 48359936 ____A C:\Users\admin\Downloads\calibre-0.8.62.msi
    2012-07-18 13:37 - 2012-07-18 13:37 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

    ZeroAccess:
    C:\Windows\Installer\{c7463296-c8b6-f7ce-c4de-937a289525f4}
    C:\Windows\Installer\{c7463296-c8b6-f7ce-c4de-937a289525f4}\L
    C:\Windows\Installer\{c7463296-c8b6-f7ce-c4de-937a289525f4}\n
    C:\Windows\Installer\{c7463296-c8b6-f7ce-c4de-937a289525f4}\U
    C:\Windows\Installer\{c7463296-c8b6-f7ce-c4de-937a289525f4}\U\00000001.@

    ZeroAccess:
    C:\Users\admin\AppData\Local\{c7463296-c8b6-f7ce-c4de-937a289525f4}
    C:\Users\admin\AppData\Local\{c7463296-c8b6-f7ce-c4de-937a289525f4}\@
    C:\Users\admin\AppData\Local\{c7463296-c8b6-f7ce-c4de-937a289525f4}\L
    C:\Users\admin\AppData\Local\{c7463296-c8b6-f7ce-c4de-937a289525f4}\U

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-07-27 13:22:58
    Restore point made on: 2012-08-11 02:24:59
    Restore point made on: 2012-09-05 03:54:38
    Restore point made on: 2012-09-20 01:54:44
    Restore point made on: 2012-09-23 07:17:12
    Restore point made on: 2012-09-26 04:27:06
    Restore point made on: 2012-09-26 04:52:33

    ==================== Memory info ===========================

    Percentage of memory in use: 15%
    Total physical RAM: 4052.9 MB
    Available physical RAM: 3429.97 MB
    Total Pagefile: 4051.1 MB
    Available Pagefile: 3425.99 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:464.98 GB) (Free:418.45 GB) NTFS
    3 Drive f: () (Removable) (Total:14.95 GB) (Free:11.49 GB) NTFS
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 3072 KB
    Disk 1 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 752 MB 40 MB
    Partition 3 Primary 464 GB 792 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 39 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y RECOVERY NTFS Partition 752 MB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 464 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F NTFS Removable 14 GB Healthy

    =========================================================

    Last Boot: 2012-09-20 01:47

    ==================== End Of Log =============================


    SEARCH.TXT
    Farbar Recovery Scan Tool (x64) Version: 25-09-2012
    Ran by SYSTEM at 2012-09-26 15:51:33
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

    ====== End Of Search ======
  2. Broni

    Broni Malware Annihilator Posts: 45,215   +243

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==========================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    =============================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    =============================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ==============================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.