TechSpot

Sirefef.ah and sirefef.r

By Julius
Aug 3, 2012
  1. Hello,

    So I have caught sirefef.ah and sirefef.r too.. which are quite popular here as I can see.
    First there was Live Security Platinum but probably I have successfully removed it. I reinstalled MSE and I think that only then my computer has started to get restarted after like three minutes because of these sirefef.ah and sirefef.r.. So here are the FRST logs:

    FRST.txt

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 03-08-2012 12:39:20
    Running from F:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252136 2011-05-04] (Sun Microsystems, Inc.)
    HKLM\...\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start [417792 2008-09-26] (Chicony)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Julius\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
    Tcpip\Parameters: [DhcpNameServer] 212.59.1.1 212.59.2.2
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    ShortcutTarget: VPN Client.lnk -> C:\Windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico ()
    Startup: C:\Users\Julius\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    2 ABBYY.Licensing.FineReader.Professional.10.0; "C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe" -service [814344 2010-07-22] (ABBYY)
    2 AcronisOSSReinstallSvc; "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2217416 2007-02-22] ()
    2 astcc; C:\Windows\system32\ASTSRV.EXE [61760 2009-09-14] (Nalpeiron Ltd.)
    2 CVPND; "C:\Program Files\VPN Client\VU VPN Client\cvpnd.exe" [1528616 2010-03-23] (Cisco Systems, Inc.)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 NitroDriverReadSpool; "C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe" [188736 2009-09-14] (Nitro PDF Software)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-06-07] (Skype Technologies)
    2 TemproMonitoringService; "C:\Program Files\Toshiba TEMPRO\TemproSvc.exe" [124368 2010-10-26] (Toshiba Europe GmbH)
    2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [468320 2009-11-05] (TOSHIBA Corporation)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    2 postgresql-9.1; C:/Program Files/PostgreSQL/9.1/bin/pg_ctl.exe runservice -N "postgresql-9.1" -D "C:/Program Files/PostgreSQL/9.1/data" -w [x]

    ========================== Drivers (Whitelisted) =============

    3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
    3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
    2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [308859 2010-03-23] (Cisco Systems, Inc.)
    3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
    3 GdmUWm; C:\Windows\System32\DRIVERS\gdmuwm.sys [92160 2009-11-13] (GCT Semiconductor, Inc.)
    0 giveio; C:\Windows\System32\giveio.sys [5248 1996-04-03] ()
    2 iPodDrv; \??\C:\Windows\system32\drivers\iPodDrv.sys [6656 2011-03-09] (Windows (R) Codename Longhorn DDK provider)
    3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [28560 2009-06-17] (Logitech, Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [159776 2009-06-24] (Realtek Semiconductor Corp.)
    3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2008-07-15] (Chicony Electronics Co., Ltd.)
    3 catchme; \??\C:\Users\Julius\AppData\Local\Temp\catchme.sys [x]
    3 GdmFilt; C:\Windows\System32\DRIVERS\GdmFilt.sys [x]
    2 GdmWmPrt; C:\Windows\System32\DRIVERS\gdmwmprt.sys [x]
    3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfd.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
    0 vmci; C:\Windows\System32\DRIVERS\vmci.sys [x]
    3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-03 12:39 - 2012-08-03 12:39 - 00000000 ____D C:\FRST
    2012-08-02 12:40 - 2012-08-02 12:40 - 00000000 ___SD C:\32788R22FWJFW
    2012-08-02 12:28 - 2012-08-02 12:29 - 04722680 ____R (Swearware) C:\Users\Julius\Downloads\ComboFix.exe
    2012-08-02 12:23 - 2012-08-02 12:23 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-02 12:20 - 2012-08-02 12:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Julius\Downloads\mseinstall.exe
    2012-08-02 12:16 - 2012-08-02 12:16 - 00105536 ____A C:\Users\Julius\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-02 09:46 - 2012-08-02 09:47 - 00000000 ____D C:\Users\Julius\Downloads\Season 1
    2012-07-30 06:22 - 2012-07-30 06:22 - 04212409 ____A C:\Users\Julius\1.rar
    2012-07-29 03:19 - 2012-07-29 03:31 - 00000000 ____D C:\Users\Julius\Downloads\Season 09
    2012-07-24 09:34 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-24 09:32 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-24 09:32 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-24 09:32 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-24 09:32 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-24 09:32 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-24 09:31 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-24 09:31 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-24 09:31 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-24 09:31 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-24 09:31 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-21 04:44 - 2012-07-22 01:09 - 00000000 ____D C:\Users\Julius\Downloads\A Wednesday 2008 Hindi 720 BDRip x264 E-SuB xRG
    2012-07-17 12:50 - 2012-07-17 12:50 - 00000040 ____A C:\Users\Julius\.RData
    2012-07-17 01:25 - 2012-07-17 01:25 - 00000000 ____D C:\Program Files\Klok2
    2012-07-15 14:42 - 2012-07-15 14:47 - 00000000 ____D C:\Users\Julius\AppData\Roaming\Opera
    2012-07-15 14:42 - 2012-07-15 14:47 - 00000000 ____D C:\Users\Julius\AppData\Local\Opera
    2012-07-15 14:41 - 2012-07-15 14:47 - 00000000 ____D C:\Program Files\Opera
    2012-07-15 01:19 - 2012-07-16 15:20 - 00000098 ___AH C:\Users\Julius\Downloads\f.txt
    2012-07-13 04:15 - 2012-07-13 04:21 - 00000000 ____D C:\Users\Julius\Downloads\Conviction[2010]DvDrip[Eng]-FXG
    2012-07-08 11:51 - 2012-07-08 11:51 - 00000000 ____D C:\Program Files\Valve
    2012-07-05 11:55 - 2012-07-05 11:56 - 01526426 ____A C:\Users\Julius\Downloads\Mastering.Regular.Expressions.3rd.Edition.Aug.2006.chm
    2012-07-05 11:55 - 2012-07-05 11:56 - 00210515 ____A C:\Users\Julius\Downloads\Regular.Expressions.in.10.Minutes.chm
    2012-07-04 08:04 - 2012-07-04 08:05 - 00000000 ____D C:\Program Files\RStudio
    2012-07-04 04:45 - 2012-07-04 04:45 - 00002015 ____A C:\Users\Julius\Downloads\agregbars.rar

    ============ 3 Months Modified Files ========================

    2012-08-03 01:34 - 2012-06-07 22:04 - 00001176 ____A C:\Windows\setupact.log
    2012-08-03 01:34 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-02 13:02 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-02 12:29 - 2012-08-02 12:28 - 04722680 ____R (Swearware) C:\Users\Julius\Downloads\ComboFix.exe
    2012-08-02 12:27 - 2012-04-06 07:04 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-02 12:24 - 2009-08-08 05:59 - 01508923 ____A C:\Windows\WindowsUpdate.log
    2012-08-02 12:23 - 2011-01-26 03:18 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-02 12:23 - 2009-08-08 06:01 - 00787942 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-02 12:23 - 2009-07-13 20:34 - 00021456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-02 12:23 - 2009-07-13 20:34 - 00021456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-02 12:20 - 2012-08-02 12:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Julius\Downloads\mseinstall.exe
    2012-08-02 12:16 - 2012-08-02 12:16 - 00105536 ____A C:\Users\Julius\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-30 06:22 - 2012-07-30 06:22 - 04212409 ____A C:\Users\Julius\1.rar
    2012-07-26 13:16 - 2012-04-06 07:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-26 13:16 - 2011-05-18 22:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-24 10:02 - 2009-07-13 20:33 - 02328496 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-24 09:34 - 2009-09-09 07:49 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-17 12:50 - 2012-07-17 12:50 - 00000040 ____A C:\Users\Julius\.RData
    2012-07-17 07:31 - 2012-07-17 07:14 - 781728420 ___AH C:\Users\Julius\Downloads\x-art_kitty_after_hours_1080.mov
    2012-07-16 15:20 - 2012-07-15 01:19 - 00000098 ___AH C:\Users\Julius\Downloads\f.txt
    2012-07-15 06:09 - 2009-12-23 08:32 - 00416768 __ASH C:\Users\Julius\Thumbs.db
    2012-07-05 11:56 - 2012-07-05 11:55 - 01526426 ____A C:\Users\Julius\Downloads\Mastering.Regular.Expressions.3rd.Edition.Aug.2006.chm
    2012-07-05 11:56 - 2012-07-05 11:55 - 00210515 ____A C:\Users\Julius\Downloads\Regular.Expressions.in.10.Minutes.chm
    2012-07-04 04:45 - 2012-07-04 04:45 - 00002015 ____A C:\Users\Julius\Downloads\agregbars.rar
    2012-06-24 05:05 - 2009-09-22 03:33 - 00000600 ____A C:\Users\Julius\AppData\Roaming\winscp.rnd
    2012-06-22 12:34 - 2012-06-22 12:29 - 00001525 ____A C:\Users\Julius\Documents\pgadmin.log
    2012-06-11 18:40 - 2012-07-24 09:34 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 20:41 - 2012-07-24 09:31 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-07 22:04 - 2012-06-07 22:04 - 00000000 ____A C:\Windows\setuperr.log
    2012-06-07 05:12 - 2012-06-07 05:12 - 00061950 ____A C:\Windows\cc_20120607_161208.reg
    2012-06-06 02:09 - 2012-06-06 02:09 - 00000961 ____A C:\Users\postgres\Desktop\Texmaker.lnk
    2012-06-06 01:55 - 2012-06-06 01:55 - 00017955 ____A C:\ComboFix.txt
    2012-06-06 01:52 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
    2012-06-05 21:05 - 2012-07-24 09:31 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:05 - 2012-07-24 09:31 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 21:03 - 2012-07-24 09:31 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-02 14:19 - 2012-06-21 00:16 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 00:16 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 00:16 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 00:16 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 00:16 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-21 00:16 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-21 00:16 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 04:19 - 2012-06-21 00:16 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 04:12 - 2012-06-21 00:16 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-01 20:45 - 2012-07-24 09:32 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:45 - 2012-07-24 09:32 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:40 - 2012-07-24 09:32 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:40 - 2012-07-24 09:32 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:39 - 2012-07-24 09:32 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-05-10 23:43 - 2012-05-10 23:41 - 00001582 ____A C:\Windows\VPNInstall.MIF
    2012-05-08 10:54 - 2010-10-03 10:00 - 00000600 ____A C:\Users\Julius\AppData\Local\PUTTY.RND

    ZeroAccess:
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\@
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\L
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\n
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\U
    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\U\00000001.@

    ZeroAccess:
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\@
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\L
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\n
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\U
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\U\00000001.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 15%
    Total physical RAM: 3069.99 MB
    Available physical RAM: 2595.81 MB
    Total Pagefile: 3068.27 MB
    Available Pagefile: 2601.5 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1952.7 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:297.99 GB) (Free:143.72 GB) NTFS
    3 Drive f: (KINGSTON) (Removable) (Total:3.6 GB) (Free:3.51 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 3690 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 297 GB 101 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 297 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3689 MB 31 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F KINGSTON FAT32 Removable 3689 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-28 05:25

    ======================= End Of Log ==========================


    and Search.txt

    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-03 12:41:40
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-08-02 13:02] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    C:\Windows\ERDNT\cache\services.exe
    [2012-06-06 01:53] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    === End Of Search ===

    Thank you!
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  3. Julius

    Julius TS Rookie Topic Starter Posts: 24

    Here is the log:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-03 14:03:34 Run:1
    Running from F:\

    ==============================================

    C:\Windows\Installer\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde} moved successfully.
    C:\Users\Julius\AppData\Local\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    now everything seems to be back to normal, I just can not turn on my Windows Firewall: when pressing "Use recommended settings" I get "Windows Firewall can't change some of your settings. Error code 0x80070424".
     
  4. Julius

    Julius TS Rookie Topic Starter Posts: 24

    I have fixed the Windows Firewall issue. But there still remains another minor one: icons are rearranging back to "basic" positions every time I refresh the desktop, and the size of icons changes back to normal every time I restart the computer too.
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay. We'll get that fixed...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  6. Julius

    Julius TS Rookie Topic Starter Posts: 24

    Now icons are fine too. Here is the log:

    ComboFix 12-08-04.02 - Julius 2012.08.04 15:32:24.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1257.370.1033.18.3070.1941 [GMT 3:00]
    Running from: c:\users\Julius\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-04 to 2012-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\postgres\AppData\Local\temp
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\HomeGroupUser$\AppData\Local\temp
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-04 12:42 . 2012-08-04 12:42 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-08-04 10:24 . 2012-08-04 10:24 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E26DBA8-016B-40C9-819F-1DD02AEDDCDF}\offreg.dll
    2012-08-03 20:39 . 2012-08-03 20:39 -------- d-----w- C:\FRST
    2012-08-02 20:24 . 2012-02-09 11:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EA6D40F-982B-4EE3-BFCF-A65EE686536F}\gapaengine.dll
    2012-08-02 20:24 . 2012-07-15 23:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E26DBA8-016B-40C9-819F-1DD02AEDDCDF}\mpengine.dll
    2012-08-02 20:23 . 2012-08-02 20:23 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-24 17:34 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-07-24 17:32 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-07-24 17:32 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-07-24 17:32 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
    2012-07-24 17:32 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-24 17:32 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-24 17:31 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-24 17:31 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
    2012-07-24 17:31 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
    2012-07-24 17:31 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
    2012-07-24 17:31 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2012-07-24 17:31 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2012-07-24 17:31 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2012-07-24 17:31 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-24 17:31 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-24 17:31 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
    2012-07-17 09:25 . 2012-07-17 09:25 -------- d-----w- c:\program files\Klok2
    2012-07-15 22:42 . 2012-07-15 22:47 -------- d-----w- c:\users\Julius\AppData\Local\Opera
    2012-07-15 22:41 . 2012-07-15 22:47 -------- d-----w- c:\program files\Opera
    2012-07-08 19:51 . 2012-07-08 19:51 -------- d-----w- c:\program files\Valve
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-03 12:27 . 2012-04-06 15:04 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-03 12:27 . 2011-05-19 06:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-07 13:12 . 2012-06-07 13:12 61950 ----a-w- c:\windows\cc_20120607_161208.reg
    2012-06-02 22:19 . 2012-06-21 08:16 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 08:16 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 08:16 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 08:16 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 08:16 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 08:16 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 08:16 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 12:19 . 2012-06-21 08:16 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 12:12 . 2012-06-21 08:16 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-07-19 18:53 . 2011-03-22 18:27 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Julius\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Julius\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Julius\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Julius\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Julius\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Julius\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2012-5-11 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer4"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
    backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
    2009-11-10 15:57 738616 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 04:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bonus.SSR.FR10]
    2011-05-21 20:26 941320 ----a-w- c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDMICtrlMan]
    2009-08-03 12:03 832856 ----a-w- c:\program files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-11-10 00:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    2009-03-15 10:15 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2009-07-28 19:12 7625248 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2009-08-13 10:31 521528 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-05-04 10:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba TEMPRO]
    2010-10-26 11:59 1050072 ----a-w- c:\program files\Toshiba TEMPRO\TemproTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
    R2 GdmWmPrt;GCT WiMax Protocol Driver;c:\windows\system32\DRIVERS\gdmwmprt.sys [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    R3 GdmFilt;GCT USB Mass Storage Filter Service;c:\windows\system32\DRIVERS\GdmFilt.sys [x]
    R3 GdmUWm;GCT Mobile WiMAX NIC USB Driver;c:\windows\system32\DRIVERS\gdmuwm.sys [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
    S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [x]
    S2 postgresql-9.1;postgresql-9.1 - PostgreSQL Server 9.1;C:/Program Files/PostgreSQL/9.1/bin/pg_ctl.exe runservice -N postgresql-9.1 -D C:/Program Files/PostgreSQL/9.1/data -w [x]
    S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [x]
    S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [x]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = about:blank
    TCP: DhcpNameServer = 212.59.1.1 212.59.2.2
    FF - ProfilePath - c:\users\Julius\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.bah\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\postgresql-9.1]
    "ImagePath"="C:/Program Files/PostgreSQL/9.1/bin/pg_ctl.exe runservice -N \"postgresql-9.1\" -D \"C:/Program Files/PostgreSQL/9.1/data\" -w"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\postgresql-9.1]
    "ImagePath"="C:/Program Files/PostgreSQL/9.1/bin/pg_ctl.exe runservice -N \"postgresql-9.1\" -D \"C:/Program Files/PostgreSQL/9.1/data\" -w"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-186274768-1121267110-3789195342-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C6DE502C-0C65-D0CF-947D-975161764ECA}*]
    @Allowed: (Read) (RestrictedCode)
    "iafidjlpiigphgkiom"=hex:6b,61,6a,63,6f,62,65,6c,61,62,66,61,62,69,62,6e,62,6e,
    6c,69,6c,61,00,00
    "halgaeomijegmdgk"=hex:6b,61,6a,63,6f,62,65,6c,61,62,66,61,62,69,62,6e,62,6e,
    6c,69,6c,61,00,00
    "gaejlckhdkbpci"=hex:61,63,65,67,6b,6a,62,65,6d,6d,69,6f,6c,61,65,61,6a,63,6a,
    6a,6a,70,61,70,6c,6d,63,61,64,6d,64,6e,6b,6c,6f,65,61,6e,61,70,61,69,68,6c,\
    .
    [HKEY_USERS\S-1-5-21-186274768-1121267110-3789195342-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D99C112A-E820-280E-ABB4-063D28373B49}*]
    @Allowed: (Read) (RestrictedCode)
    "iafakbojmcgcckknjd"=hex:6b,61,6a,6f,70,69,61,6b,63,6c,6f,70,70,67,6f,63,6e,65,
    65,70,6a,6a,00,00
    "hahpikdlnmpgnjij"=hex:6b,61,6a,6f,70,69,61,6b,63,6c,6f,70,70,67,6f,63,6e,65,
    65,70,6a,6a,00,00
    "gacbnalipcpcbp"=hex:61,63,61,70,6d,6f,69,66,68,65,6d,61,6d,68,6b,66,61,61,61,
    67,66,63,62,63,6d,66,6e,62,68,6f,6f,6f,64,61,6c,67,69,69,6e,70,70,65,62,62,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5952)
    c:\users\Julius\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    Completion time: 2012-08-04 15:45:03
    ComboFix-quarantined-files.txt 2012-08-04 12:45
    ComboFix2.txt 2012-06-06 09:55
    .
    Pre-Run: 154.716.626.944 bytes free
    Post-Run: 154.865.496.064 bytes free
    .
    - - End Of File - - 9021443B5CDE61B2BB7CFA06284EC705

    if everything seems good for you here, then my problem can be considered solved :) Again thank you very much!
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Let's not be hasty, please. We'll do another scan here, and verify the infection has disappeared. We don't want to assume. :)

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  8. Julius

    Julius TS Rookie Topic Starter Posts: 24

    Here is what I've got:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=4dd25bd344325343895741b1273cfc5e
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-04 08:42:45
    # local_time=2012-08-04 11:42:45 (+0200, FLE Daylight Time)
    # country="Lithuania"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5893 16776574 100 94 44842806 95734321 0 0
    # compatibility_mode=8192 67108863 100 0 154 154 0 0
    # scanned=387673
    # found=2
    # cleaned=2
    # scan_time=9835
    C:\FRST\Quarantine\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\FRST\Quarantine\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\{ce4d4c51-61a0-ccf3-9a84-34ee173c2bde}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  10. Julius

    Julius TS Rookie Topic Starter Posts: 24

    My computer is running pretty nice and here is the log:

    Results of screen317's Security Check version 0.99.43
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Out of date HijackThis installed!
    HijackThis 1.99.1
    CCleaner Professional
    Java(TM) 6 Update 26
    Java(TM) 7 Update 1
    Java(TM) SE Development Kit 6 Update 25
    Java(TM) SE Development Kit 7
    Java DB 10.6.2.1
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 11.3.300.270
    Adobe Reader X (10.1.3)
    Mozilla Firefox (14.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Good!

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
  12. Julius

    Julius TS Rookie Topic Starter Posts: 24

    Well, actually I have one. It isn't really related, but I wanted to ask about forced/unexpected shutdowns. At this moment my laptop is without battery, so lately I had like 3 unexpected shutdowns (electricity problems etc.). As far as I know that is bad.. so how serious is it? Are there any tools to check if there was any damage done?
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Yes...

    Is it normally very hot around the computer, or is it happening because of the battery?
     
  14. Julius

    Julius TS Rookie Topic Starter Posts: 24

    It is happening because of the battery because now I don't have one and any electricity break shuts down the computer. Well, that has happened pretty much only in the last few days.. And unfortunately my computer becomes hot pretty often but that is my fault.. So now I will try to get a new battery asap and keep my computer cool. Thank you again, I am really surprised how helpful people are here :)
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Okay. Well post in the hardware forums if you need help next, so we don't have to leave this case open.

    Not a big deal. I will mark this solved. Best of luck! :)


     
    Julius likes this.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...