TechSpot

Sirefef Infection - Please Help

Inactive
By Jlums
Jul 7, 2012
  1. Hi,

    I'm a newbie here. I found my way here because I see members are helping out people that have the Sirefef infection. I have already run FRST.exe and searched for services.exe. See logs posted below. Thanks in advance for the help!

    FRST.txt
    =======
    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 07-07-2012 02
    Ran by SYSTEM at 07-07-2012 00:47:32
    Running from H:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1753192 2010-07-07] ()
    HKLM\...\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
    HKLM\...\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s [57344 2006-09-28] (SlySoft, Inc.)
    HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [CouponAlert_2p Browser Plugin Loader] C:\PROGRA~1\COUPON~2\bar\1.bin\2pbrmon.exe [30096 2011-10-13] (VER_COMPANY_NAME)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-09-01] (Research In Motion Limited)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Joe\...\Run: [Google Update] "C:\Users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-03-22] (Google Inc.)
    HKU\Joe\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Joe\...\Run: [cdloader] "C:\Users\Joe\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2012-02-01] (magicJack L.P.)
    HKU\Joe\...\Run: [Digiarty_Software_AirPlayit] "C:\Program Files\Digiarty\Air_Playit\airplayit.exe" -min [10468672 2012-02-28] ()
    HKU\Joe\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Joe\...\Run: [Tonido] "C:\Users\Joe\AppData\Roaming\Tonido\launcher.exe" /nobrowser [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.127.2
    Tcpip\..\Interfaces\{F266BFCB-B822-47F4-9911-5DD6E7C0A590}: [NameServer]209.18.47.61,209.18.47.62
    Tcpip\..\Interfaces\{FC4C517A-70D1-45FA-8831-DC32484FF8D2}: [NameServer]209.18.47.61,209.18.47.62
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\ServeToMe.lnk
    ShortcutTarget: ServeToMe.lnk -> C:\Windows\Installer\{79E79A9E-264D-44E2-90BD-14E006F0181C}\_DCBD1B3FA4B3F88BBF02B5.exe ()
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\WD Quick View.lnk
    ShortcutTarget: WD Quick View.lnk -> C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe (Western Digital Technologies, Inc.)
    Startup: C:\Users\Joe\Start Menu\Programs\Startup\SABnzbd.lnk
    ShortcutTarget: SABnzbd.lnk -> C:\Program Files\SABnzbd\SABnzbd.exe ()
    ================================ Services (Whitelisted) ==================
    2 AppHostSvc; C:\Windows\system32\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
    2 CouponAlert_2pService; C:\PROGRA~1\COUPON~2\bar\1.bin\2pbarsvc.exe [42504 2011-10-13] (COMPANYVERS_NAME)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 IntuitUpdateService; "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13672 2010-08-23] (Intuit Inc.)
    2 IntuitUpdateServiceV4; "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" [13672 2011-08-25] (Intuit Inc.)
    2 magicJack; C:\mjusbsp\srvany.exe [8192 2003-04-18] ()
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 NVIDIA Performance Driver Service; "C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" [3795560 2010-04-30] ()
    3 odserv; "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [440696 2011-07-20] (Microsoft Corporation)
    3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [145184 2006-10-26] (Microsoft Corporation)
    2 ServeToMe-Service; "C:\Program Files\ProjectsWithLove\ServeToMe\ServeToMe-Service.exe" [10240 2012-05-05] (ProjectsWithLove)
    2 SplashtopRemoteService; "C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe" [531328 2012-02-09] (Splashtop Inc.)
    2 SSUService; C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe [370504 2012-03-14] (Splashtop Inc.)
    2 VMAuthdService; "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" [79872 2011-08-22] (VMware, Inc.)
    2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [354416 2011-08-22] (VMware, Inc.)
    2 VMUSBArbService; "C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe" [665200 2011-08-21] (VMware, Inc.)
    2 VMware NAT Service; C:\Windows\system32\vmnat.exe [432752 2011-08-22] (VMware, Inc.)
    3 VMwareHostd; "C:\Program Files\VMware\VMware Workstation\vmware-hostd.exe" -u "C:\ProgramData\VMware\hostd\config.xml" [31917 2011-10-29] ()
    2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
    3 WAS; C:\Windows\system32\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
    ========================== Drivers (Whitelisted) =============
    1 adxovpfc; \??\C:\Windows\system32\drivers\adxovpfc.sys [43480 2012-07-06] (Microsoft Corporation)
    2 aksfridge; C:\Windows\system32\drivers\aksfridge.sys [351744 2007-03-12] (Aladdin Knowledge Systems Ltd.)
    3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [26112 2010-04-29] (Google Inc)
    1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [16877 2002-07-16] (Adaptec)
    3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh6.sys [1092160 2011-04-19] (Broadcom Corporation)
    1 cbfs3; \??\C:\Windows\system32\drivers\cbfs3.sys [267208 2010-06-09] (EldoS Corporation)
    3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [34760 2007-02-15] (SlySoft, Inc.)
    1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
    3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
    2 hcmon; \??\C:\Windows\system32\drivers\hcmon.sys [32496 2011-08-21] (VMware, Inc.)
    3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [26112 2010-04-29] (Google Inc)
    3 ManyCam; C:\Windows\System32\DRIVERS\ManyCam.sys [21632 2008-01-14] (ManyCam LLC.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    1 MpKsl125932ea; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AC27F282-26B9-4FBB-8ADA-4E0474650B83}\MpKsl125932ea.sys [29904 2012-07-06] (Microsoft Corporation)
    1 MpKslcca9e45d; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AC27F282-26B9-4FBB-8ADA-4E0474650B83}\MpKslcca9e45d.sys [29904 2012-07-06] (Microsoft Corporation)
    3 nrtap; C:\Windows\System32\DRIVERS\nrtap.sys [24576 2009-09-01] (NeoRouter Inc.)
    3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [16472 2011-05-06] ()
    3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [11104 2011-05-06] ()
    3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26112 2010-11-30] (The OpenVPN Project)
    1 UGURU; C:\Windows\System32\drivers\uGuru.sys [21048 2006-10-02] (ABIT)
    2 VirtualCam; C:\Windows\System32\DRIVERS\VirtualCam.sys [192512 2007-02-21] (MorningSound Co., Ltd.)
    3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16624 2011-08-22] (VMware, Inc.)
    2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [36464 2011-08-22] (VMware, Inc.)
    2 VMnetuserif; \??\C:\Windows\system32\drivers\vmnetuserif.sys [25712 2011-08-22] (VMware, Inc.)
    2 vmx86; \??\C:\Windows\system32\Drivers\vmx86.sys [55280 2011-08-22] (VMware, Inc.)
    3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
    1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
    3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
    1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
    2 vstor2-mntapi10-shared; C:\Windows\System32\drivers\vstor2-mntapi10-shared.sys [22768 2011-07-08] (VMware, Inc.)
    3 ATP; C:\Windows\System32\DRIVERS\cmdatp.sys [x]
    3 PcaSp50; C:\Windows\System32\Drivers\PcaSp50.sys [x]
    3 PLCND532; C:\Windows\System32\Drivers\PLCND532.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-07-07 00:47 - 2012-07-07 00:47 - 00000000 ____D C:\FRST
    2012-07-06 21:43 - 2012-07-06 21:43 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\adxovpfc.sys
    2012-07-06 20:16 - 2012-07-06 20:16 - 00000000 ____D C:\Users\All Users\Splashtop
    2012-07-03 03:31 - 2012-07-03 03:31 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-06-21 07:48 - 2012-06-21 07:48 - 00001154 ____A C:\Users\Public\Desktop\Shutterfly Express Uploader.lnk
    2012-06-21 07:48 - 2012-06-21 07:48 - 00000000 ____D C:\Users\Joe\AppData\Roaming\com.Shutterfly.ExpressUploader
    2012-06-21 07:47 - 2012-06-21 07:47 - 00000000 ____D C:\Program Files\Shutterfly
    2012-06-21 04:44 - 2012-06-21 04:44 - 00159608 ____A C:\Windows\Minidump\062112-20406-01.dmp
    2012-06-20 21:08 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-20 21:08 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-20 21:08 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-20 21:08 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-20 21:08 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-20 21:08 - 2012-06-02 12:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-20 21:08 - 2012-06-02 12:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-14 07:42 - 2012-06-21 04:44 - 267009046 ____A C:\Windows\MEMORY.DMP
    2012-06-14 07:42 - 2012-06-14 07:42 - 00157528 ____A C:\Windows\Minidump\061412-18500-01.dmp
    2012-06-14 00:01 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-14 00:01 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-14 00:01 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-14 00:01 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-14 00:01 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-14 00:01 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-14 00:01 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-14 00:01 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-14 00:01 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-14 00:01 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-14 00:01 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-14 00:01 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-14 00:01 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-14 00:01 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-13 13:54 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-13 13:54 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-06-13 13:54 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-13 13:54 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-13 13:54 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-13 13:54 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-13 13:54 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-06-13 13:54 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-06-13 13:54 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-06-13 13:54 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-06-10 18:31 - 2012-06-10 18:33 - 00000000 ____D C:\Windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP
    ============ 3 Months Modified Files ========================
    2012-07-06 21:44 - 2012-04-19 20:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-06 21:43 - 2012-07-06 21:43 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\adxovpfc.sys
    2012-07-06 21:42 - 2012-05-30 07:49 - 00101307 ____A C:\Windows\setupact.log
    2012-07-06 21:42 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-06 21:27 - 2011-03-22 17:41 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738449339-805295421-2494816824-1000UA.job
    2012-07-06 20:45 - 2010-12-22 09:44 - 01578202 ____A C:\Windows\WindowsUpdate.log
    2012-07-06 20:32 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-07-06 20:28 - 2009-07-13 20:53 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-06 20:24 - 2009-07-13 20:34 - 00014848 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-06 20:24 - 2009-07-13 20:34 - 00014848 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-27 00:27 - 2011-03-22 17:41 - 00000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738449339-805295421-2494816824-1000Core.job
    2012-06-23 13:09 - 2012-02-03 09:11 - 00000326 ____A C:\Windows\hpbafd.ini
    2012-06-23 09:44 - 2012-04-19 20:41 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-06-23 09:44 - 2011-06-08 08:51 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-06-23 08:31 - 2010-12-22 07:49 - 00797964 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-21 07:48 - 2012-06-21 07:48 - 00001154 ____A C:\Users\Public\Desktop\Shutterfly Express Uploader.lnk
    2012-06-21 04:44 - 2012-06-21 04:44 - 00159608 ____A C:\Windows\Minidump\062112-20406-01.dmp
    2012-06-21 04:44 - 2012-06-14 07:42 - 267009046 ____A C:\Windows\MEMORY.DMP
    2012-06-14 07:42 - 2012-06-14 07:42 - 00157528 ____A C:\Windows\Minidump\061412-18500-01.dmp
    2012-06-14 00:23 - 2009-07-13 20:33 - 00382320 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-14 00:03 - 2010-12-22 09:32 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-10 18:38 - 2010-12-22 09:47 - 00027930 ____A C:\Windows\PFRO.log
    2012-06-10 18:38 - 2009-07-13 20:34 - 00003483 ____A C:\Windows\DtcInstall.log
    2012-06-10 18:37 - 2010-12-29 16:24 - 00023374 ____A C:\Windows\DPINST.LOG
    2012-06-10 18:30 - 2011-02-07 13:22 - 00000000 ____A C:\Windows\ka.ini
    2012-06-02 14:19 - 2012-06-20 21:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 21:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 21:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 21:08 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-20 21:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 12:19 - 2012-06-20 21:08 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 12:12 - 2012-06-20 21:08 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-30 16:23 - 2010-12-22 19:54 - 00179200 ____A C:\Users\Joe\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-30 07:49 - 2012-05-30 07:49 - 00000000 ____A C:\Windows\setuperr.log
    2012-05-29 04:39 - 2012-04-21 19:16 - 00003068 ____A C:\ndsvc.log
    2012-05-17 15:11 - 2012-06-14 00:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 14:48 - 2012-06-14 00:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 14:45 - 2012-06-14 00:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 14:36 - 2012-06-14 00:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 14:35 - 2012-06-14 00:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-14 00:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 14:33 - 2012-06-14 00:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 14:31 - 2012-06-14 00:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 14:29 - 2012-06-14 00:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 14:29 - 2012-06-14 00:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-14 00:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 14:25 - 2012-06-14 00:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 14:24 - 2012-06-14 00:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 14:20 - 2012-06-14 00:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-14 17:05 - 2012-06-13 13:54 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-01 00:00 - 2010-12-22 08:28 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-04-30 20:44 - 2012-06-13 13:54 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-04-27 19:17 - 2012-06-13 13:54 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 20:45 - 2012-06-13 13:54 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 20:45 - 2012-06-13 13:54 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 20:41 - 2012-06-13 13:54 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-24 20:43 - 2012-04-24 20:43 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-04-23 20:36 - 2012-06-13 13:54 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-04-23 20:36 - 2012-06-13 13:54 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-04-23 20:36 - 2012-06-13 13:54 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-04-21 11:36 - 2012-04-21 11:36 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
    2012-04-21 11:36 - 2012-04-21 11:36 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
    2012-04-21 11:36 - 2012-04-21 11:36 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
    2012-04-21 11:36 - 2011-12-25 06:54 - 00472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
    2012-04-19 07:02 - 2012-04-18 20:46 - 00000000 __ASH C:\Windows\System32\dds_trash_log.cmd

    ZeroAccess:
    C:\Windows\Installer
    C:\Windows\Installer\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\@
    C:\Windows\Installer\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\U
    ZeroAccess:
    C:\Users\Joe\AppData\Local
    C:\Users\Joe\AppData\Local\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\@
    C:\Users\Joe\AppData\Local\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\L
    C:\Users\Joe\AppData\Local\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\n
    C:\Users\Joe\AppData\Local\{e99f5b8d-bdb5-a8cc-41f9-5ca56497f2c0}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 20%
    Total physical RAM: 2046.46 MB
    Available physical RAM: 1622.51 MB
    Total Pagefile: 2046.46 MB
    Available Pagefile: 1622.19 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1952.7 MB
    ======================= Partitions =========================
    1 Drive c: () (Fixed) (Total:99.9 GB) (Free:46.76 GB) NTFS
    2 Drive d: () (Fixed) (Total:2644.4 GB) (Free:1279.34 GB) NTFS
    5 Drive h: () (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    8 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 100 GB 0 B
    Disk 1 Online 2644 GB 128 MB *
    Disk 2 Online 244 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 99 GB 101 MB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 Y NTFS Partition 100 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 C NTFS Partition 99 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 2644 GB 129 MB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Hidden : No
    Required: No
    Attrib : 0000000000000000
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 D NTFS Partition 2644 GB Healthy
    ==================================================================================
    Partitions of Disk 2:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    * Partition 1 Primary 244 MB 0 B
    ==================================================================================
    Disk: 2
    There is no partition selected.
    There is no partition selected.
    Please select a partition and try again.
    ==================================================================================
    ==========================================================
    Last Boot: 2012-06-27 21:23
    ======================= End Of Log ==========================



    Search.txt
    ========

    Farbar Recovery Scan Tool Version: 07-07-2012 02
    Ran by SYSTEM at 2012-07-07 00:48:56
    Running from H:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2012-07-06 20:32] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
    === End Of Search ===
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi and welcome to the forums!

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt



    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options then select Command Prompt

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.




    Upload Dump Files:
    Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
    Left click on the first minidump file.
    Hold down the "Shift" key and left click on the last minidump file.
    Right click on the blue highlighted area and select "Send to"
    Select "Compressed (zipped) folder" and note where the folder is saved.
    Upload that .zip file with your next post.

    If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

    If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - http://skydrive.live.com or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

    Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): http://www.carrona.org/setmini.html


    ComboFix

    Please visit this webpage for a tutorial on downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    See the area: Using ComboFix, and when done, post the log back here.
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.