Thanks in advanced Broni
I have run on boot CD windows defender as it was disabled by the virus.
Sirefer .R and .AH from memory were detected and once detected the restarting loop began.
So I have run FRST, log is below.
Thanks once again.
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 15:00:06
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-26] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe [557056 2010-12-14] (Silicon Integrated Systems Corporation)
HKLM\...\Run: [tvncontrol] "C:\Program Files\ShowMyPCService\tvnserver.exe" -controlservice -slave [815704 2010-07-08] (GlavSoft LLC.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-25] (Microsoft Corporation)
HKU\ReceptionAM\...\Run: [Google Update] "C:\Users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-04-19] (Google Inc.)
HKU\ReceptionAM\...\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe" -agent [8498600 2012-01-09] (Innovative Solutions)
HKU\ReceptionAM\...\Run: [DriverMax_RESTART] [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 8.8.8.8 192.168.1.1
Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HCN Automatic Update.lnk
ShortcutTarget: HCN Automatic Update.lnk -> C:\Program Files\Health Communication Network\HCN Automatic Update\Hcn.Common.Updates.Server.exe (HCN)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HICAPS Connect Service Setup.lnk
ShortcutTarget: HICAPS Connect Service Setup.lnk -> C:\Program Files\HICAPSConnect\HicapsConnectServiceController.exe (HICAPS Pty Ltd.)
Startup: C:\Users\ReceptionAM\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
================================ Services (Whitelisted) ==================
4 Erx Standard Adapter Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
4 Erx Standard Adapter Store & Forward Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 HCNServiceManager; "C:\Program Files\Health Communication Network\HCN Service Manager\HcnServiceManagerService.exe" [9728 2011-03-09] (Health Communication Network)
2 HicapsConnectServer; "C:\Program Files\HICAPSConnect\HICAPSConnectService.exe" [754176 2010-12-08] (HICAPS Pty Ltd.)
2 HICAPSConnectServiceAgent; "C:\Program Files\HICAPSConnect\HICAPSConnectServiceAgent.exe" [159232 2010-12-08] (HICAPS Pty Ltd.)
2 RServer3; "C:\Windows\system32\rserver30\RServer3.exe" /service [1242504 2009-10-08] (Famatech Corp.)
2 tvnserver; "C:\Program Files\ShowMyPCService\tvnserver.exe" -service [815704 2010-07-08] (GlavSoft LLC.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
2 MSSQL$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\sqlservr.exe" -sBPSCLIENT [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
4 SQLAgent$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\SQLAGENT.EXE" -I BPSCLIENT [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
========================== Drivers (Whitelisted) =============
3 mirrorv3; C:\Windows\System32\DRIVERS\rminiv3.sys [3328 2009-10-08] (Famatech International Corp.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-12] ()
1 raddrvv3; \??\C:\Windows\system32\rserver30\raddrvv3.sys [46304 2009-10-08] (Famatech Corp.)
4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-02] (Microsoft Corporation)
3 SiS6350; C:\Windows\System32\DRIVERS\SISGRKMD.sys [466432 2010-12-14] (Silicon Integrated Systems Corporation)
3 SiSGbeLH; C:\Windows\System32\DRIVERS\SiSGB6.sys [48128 2009-07-13] (Silicon Integrated Systems Corp.)
0 uagp35; C:\Windows\System32\DRIVERS\sisagpx.sys [58400 2009-07-31] (Silicon Integrated Systems Corporation)
3 USA19H; C:\Windows\System32\DRIVERS\USA19H2k.sys [704000 2007-10-29] (Keyspan)
3 USA19H2KP; C:\Windows\System32\DRIVERS\USA19H2kp.SYS [24192 2007-05-28] (Keyspan)
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-25 15:00 - 2012-07-25 15:00 - 00000000 ____D C:\FRST
2012-07-24 20:34 - 2012-07-24 20:34 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Malwarebytes
2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 20:18 - 2012-07-24 20:18 - 00000000 ____D C:\Users\Joe\AppData\Local\Apple
2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
2012-07-20 17:21 - 2012-07-25 14:07 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-07-19 23:03 - 2012-07-24 20:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-19 22:35 - 2012-07-25 14:07 - 00000000 ____D C:\17356577a7292a18f53f580eadbc6466
2012-07-19 22:35 - 2012-07-19 22:35 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Mozilla
2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Local\Mozilla
2012-07-19 21:26 - 2012-07-24 20:17 - 00000000 ____D C:\Users\Joe\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-16 17:30 - 2012-07-16 17:31 - 00000000 ____D C:\Program Files\ShowMyPCService
2012-07-16 17:22 - 2012-07-16 17:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-16 17:20 - 2012-07-16 17:22 - 00000000 ____D C:\Users\All Users\036DFF35356E2ADFFB9A5B664F147C45
2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF2A1B5D-CFAD-11E1-8270-B8AC6F996F26}
2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
2012-07-15 20:20 - 2012-07-15 21:43 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
2012-07-10 17:47 - 2012-07-10 18:21 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
2012-06-26 17:19 - 2012-06-04 22:23 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub
============ 3 Months Modified Files ========================
2012-07-24 20:53 - 2010-12-06 20:52 - 00000128 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-24 20:53 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-24 20:52 - 2009-07-13 20:39 - 00057810 ____A C:\Windows\setupact.log
2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 20:26 - 2010-07-04 19:53 - 01817015 ____A C:\Windows\WindowsUpdate.log
2012-07-24 20:25 - 2010-07-04 20:12 - 00895510 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-24 20:19 - 2011-04-19 17:34 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155UA.job
2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
2012-07-24 20:08 - 2012-01-16 17:31 - 145530280 ____A C:\Windows\MEMORY.DMP
2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
2012-07-19 23:11 - 2010-07-05 21:21 - 00111560 ____A C:\Users\admin-ashmore-2\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-19 21:26 - 2011-10-24 16:01 - 00111560 ____A C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-17 19:17 - 2011-05-16 17:45 - 00000448 ___AH C:\Windows\Tasks\Norton Security Scan for ReceptionAM.job
2012-07-17 15:19 - 2011-04-19 17:34 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155Core.job
2012-07-16 19:04 - 2010-07-05 21:20 - 00039590 ____A C:\Windows\PFRO.log
2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-15 21:43 - 2012-07-15 20:20 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
2012-07-11 15:23 - 2011-04-19 17:34 - 00002443 ____A C:\Users\ReceptionAM\Desktop\Google Chrome.lnk
2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
2012-07-10 18:21 - 2012-07-10 17:47 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
2012-07-02 19:46 - 2011-07-17 18:10 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 09:13 - 2010-07-04 23:31 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
2012-06-24 17:21 - 2012-02-08 18:05 - 00046810 ____A C:\Users\ReceptionAM\Documents\VOMailMerge.csv
2012-06-18 20:56 - 2012-06-18 20:56 - 00022757 ____A C:\Users\ReceptionAM\Desktop\JaniceSbookingInvoiceA51.xls
2012-06-05 14:29 - 2011-07-11 17:13 - 00001047 ____A C:\Users\ReceptionAM\Desktop\Dropbox.lnk
2012-06-04 22:23 - 2012-06-26 17:19 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub
2012-05-20 17:53 - 2012-05-20 17:54 - 00002141 ____A C:\Users\ReceptionAM\Desktop\ALL reception documents.lnk
ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@
ZeroAccess:
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 2943.24 MB
Available physical RAM: 2528.12 MB
Total Pagefile: 2941.52 MB
Available Pagefile: 2530.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.7 MB
======================= Partitions =========================
2 Drive c: (NLServer) (Fixed) (Total:136.52 GB) (Free:22.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (PRESARIO_RP) (Fixed) (Total:12.51 GB) (Free:2.87 GB) FAT32
5 Drive f: () (Removable) (Total:3.73 GB) (Free:2.38 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3819 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 136 GB 31 KB
Partition 2 Primary 12 GB 136 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NLServer NTFS Partition 136 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D PRESARIO_RP FAT32 Partition 12 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3818 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-17 19:19
======================= End Of Log ==========================
I have run on boot CD windows defender as it was disabled by the virus.
Sirefer .R and .AH from memory were detected and once detected the restarting loop began.
So I have run FRST, log is below.
Thanks once again.
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 15:00:06
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-26] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-28] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe [557056 2010-12-14] (Silicon Integrated Systems Corporation)
HKLM\...\Run: [tvncontrol] "C:\Program Files\ShowMyPCService\tvnserver.exe" -controlservice -slave [815704 2010-07-08] (GlavSoft LLC.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-25] (Microsoft Corporation)
HKU\ReceptionAM\...\Run: [Google Update] "C:\Users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-04-19] (Google Inc.)
HKU\ReceptionAM\...\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe" -agent [8498600 2012-01-09] (Innovative Solutions)
HKU\ReceptionAM\...\Run: [DriverMax_RESTART] [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 8.8.8.8 192.168.1.1
Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HCN Automatic Update.lnk
ShortcutTarget: HCN Automatic Update.lnk -> C:\Program Files\Health Communication Network\HCN Automatic Update\Hcn.Common.Updates.Server.exe (HCN)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HICAPS Connect Service Setup.lnk
ShortcutTarget: HICAPS Connect Service Setup.lnk -> C:\Program Files\HICAPSConnect\HicapsConnectServiceController.exe (HICAPS Pty Ltd.)
Startup: C:\Users\ReceptionAM\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
================================ Services (Whitelisted) ==================
4 Erx Standard Adapter Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
4 Erx Standard Adapter Store & Forward Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 HCNServiceManager; "C:\Program Files\Health Communication Network\HCN Service Manager\HcnServiceManagerService.exe" [9728 2011-03-09] (Health Communication Network)
2 HicapsConnectServer; "C:\Program Files\HICAPSConnect\HICAPSConnectService.exe" [754176 2010-12-08] (HICAPS Pty Ltd.)
2 HICAPSConnectServiceAgent; "C:\Program Files\HICAPSConnect\HICAPSConnectServiceAgent.exe" [159232 2010-12-08] (HICAPS Pty Ltd.)
2 RServer3; "C:\Windows\system32\rserver30\RServer3.exe" /service [1242504 2009-10-08] (Famatech Corp.)
2 tvnserver; "C:\Program Files\ShowMyPCService\tvnserver.exe" -service [815704 2010-07-08] (GlavSoft LLC.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
2 MSSQL$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\sqlservr.exe" -sBPSCLIENT [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
4 SQLAgent$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\SQLAGENT.EXE" -I BPSCLIENT [x]
2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]
========================== Drivers (Whitelisted) =============
3 mirrorv3; C:\Windows\System32\DRIVERS\rminiv3.sys [3328 2009-10-08] (Famatech International Corp.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-12] ()
1 raddrvv3; \??\C:\Windows\system32\rserver30\raddrvv3.sys [46304 2009-10-08] (Famatech Corp.)
4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-02] (Microsoft Corporation)
3 SiS6350; C:\Windows\System32\DRIVERS\SISGRKMD.sys [466432 2010-12-14] (Silicon Integrated Systems Corporation)
3 SiSGbeLH; C:\Windows\System32\DRIVERS\SiSGB6.sys [48128 2009-07-13] (Silicon Integrated Systems Corp.)
0 uagp35; C:\Windows\System32\DRIVERS\sisagpx.sys [58400 2009-07-31] (Silicon Integrated Systems Corporation)
3 USA19H; C:\Windows\System32\DRIVERS\USA19H2k.sys [704000 2007-10-29] (Keyspan)
3 USA19H2KP; C:\Windows\System32\DRIVERS\USA19H2kp.SYS [24192 2007-05-28] (Keyspan)
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-25 15:00 - 2012-07-25 15:00 - 00000000 ____D C:\FRST
2012-07-24 20:34 - 2012-07-24 20:34 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Malwarebytes
2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 20:18 - 2012-07-24 20:18 - 00000000 ____D C:\Users\Joe\AppData\Local\Apple
2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
2012-07-20 17:21 - 2012-07-25 14:07 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-07-19 23:03 - 2012-07-24 20:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-19 22:35 - 2012-07-25 14:07 - 00000000 ____D C:\17356577a7292a18f53f580eadbc6466
2012-07-19 22:35 - 2012-07-19 22:35 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Mozilla
2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Local\Mozilla
2012-07-19 21:26 - 2012-07-24 20:17 - 00000000 ____D C:\Users\Joe\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-16 17:30 - 2012-07-16 17:31 - 00000000 ____D C:\Program Files\ShowMyPCService
2012-07-16 17:22 - 2012-07-16 17:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-16 17:20 - 2012-07-16 17:22 - 00000000 ____D C:\Users\All Users\036DFF35356E2ADFFB9A5B664F147C45
2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF2A1B5D-CFAD-11E1-8270-B8AC6F996F26}
2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
2012-07-15 20:20 - 2012-07-15 21:43 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
2012-07-10 17:47 - 2012-07-10 18:21 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
2012-06-26 17:19 - 2012-06-04 22:23 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub
============ 3 Months Modified Files ========================
2012-07-24 20:53 - 2010-12-06 20:52 - 00000128 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-24 20:53 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-24 20:52 - 2009-07-13 20:39 - 00057810 ____A C:\Windows\setupact.log
2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 20:26 - 2010-07-04 19:53 - 01817015 ____A C:\Windows\WindowsUpdate.log
2012-07-24 20:25 - 2010-07-04 20:12 - 00895510 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-24 20:19 - 2011-04-19 17:34 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155UA.job
2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
2012-07-24 20:08 - 2012-01-16 17:31 - 145530280 ____A C:\Windows\MEMORY.DMP
2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
2012-07-19 23:11 - 2010-07-05 21:21 - 00111560 ____A C:\Users\admin-ashmore-2\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-19 21:26 - 2011-10-24 16:01 - 00111560 ____A C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-17 19:17 - 2011-05-16 17:45 - 00000448 ___AH C:\Windows\Tasks\Norton Security Scan for ReceptionAM.job
2012-07-17 15:19 - 2011-04-19 17:34 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155Core.job
2012-07-16 19:04 - 2010-07-05 21:20 - 00039590 ____A C:\Windows\PFRO.log
2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-15 21:43 - 2012-07-15 20:20 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
2012-07-11 15:23 - 2011-04-19 17:34 - 00002443 ____A C:\Users\ReceptionAM\Desktop\Google Chrome.lnk
2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
2012-07-10 18:21 - 2012-07-10 17:47 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
2012-07-02 19:46 - 2011-07-17 18:10 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 09:13 - 2010-07-04 23:31 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
2012-06-24 17:21 - 2012-02-08 18:05 - 00046810 ____A C:\Users\ReceptionAM\Documents\VOMailMerge.csv
2012-06-18 20:56 - 2012-06-18 20:56 - 00022757 ____A C:\Users\ReceptionAM\Desktop\JaniceSbookingInvoiceA51.xls
2012-06-05 14:29 - 2011-07-11 17:13 - 00001047 ____A C:\Users\ReceptionAM\Desktop\Dropbox.lnk
2012-06-04 22:23 - 2012-06-26 17:19 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub
2012-05-20 17:53 - 2012-05-20 17:54 - 00002141 ____A C:\Users\ReceptionAM\Desktop\ALL reception documents.lnk
ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@
ZeroAccess:
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 2943.24 MB
Available physical RAM: 2528.12 MB
Total Pagefile: 2941.52 MB
Available Pagefile: 2530.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.7 MB
======================= Partitions =========================
2 Drive c: (NLServer) (Fixed) (Total:136.52 GB) (Free:22.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (PRESARIO_RP) (Fixed) (Total:12.51 GB) (Free:2.87 GB) FAT32
5 Drive f: () (Removable) (Total:3.73 GB) (Free:2.38 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 3819 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 136 GB 31 KB
Partition 2 Primary 12 GB 136 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NLServer NTFS Partition 136 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D PRESARIO_RP FAT32 Partition 12 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3818 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-17 19:19
======================= End Of Log ==========================