Sirefef.R and Sirefef.AH removal please

Inactive
By R6n350GT
Jul 25, 2012
  1. Thanks in advanced Broni
    I have run on boot CD windows defender as it was disabled by the virus.
    Sirefer .R and .AH from memory were detected and once detected the restarting loop began.
    So I have run FRST, log is below.

    Thanks once again.


    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 25-07-2012 15:00:06
    Running from F:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-26] (Adobe Systems Incorporated)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-28] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-07] (Sun Microsystems, Inc.)
    HKLM\...\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe [557056 2010-12-14] (Silicon Integrated Systems Corporation)
    HKLM\...\Run: [tvncontrol] "C:\Program Files\ShowMyPCService\tvnserver.exe" -controlservice -slave [815704 2010-07-08] (GlavSoft LLC.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-25] (Microsoft Corporation)
    HKU\ReceptionAM\...\Run: [Google Update] "C:\Users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-04-19] (Google Inc.)
    HKU\ReceptionAM\...\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe" -agent [8498600 2012-01-09] (Innovative Solutions)
    HKU\ReceptionAM\...\Run: [DriverMax_RESTART] [x]
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 8.8.8.8 192.168.1.1
    Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk
    ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
    Startup: C:\Users\admin-ashmore-2\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
    ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files\Common Files\lpuninstall.exe (LastPass)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HCN Automatic Update.lnk
    ShortcutTarget: HCN Automatic Update.lnk -> C:\Program Files\Health Communication Network\HCN Automatic Update\Hcn.Common.Updates.Server.exe (HCN)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HICAPS Connect Service Setup.lnk
    ShortcutTarget: HICAPS Connect Service Setup.lnk -> C:\Program Files\HICAPSConnect\HicapsConnectServiceController.exe (HICAPS Pty Ltd.)
    Startup: C:\Users\ReceptionAM\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ================================ Services (Whitelisted) ==================

    4 Erx Standard Adapter Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
    4 Erx Standard Adapter Store & Forward Service; "C:\Program Files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe" [22016 2010-07-22] (Simpl)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 HCNServiceManager; "C:\Program Files\Health Communication Network\HCN Service Manager\HcnServiceManagerService.exe" [9728 2011-03-09] (Health Communication Network)
    2 HicapsConnectServer; "C:\Program Files\HICAPSConnect\HICAPSConnectService.exe" [754176 2010-12-08] (HICAPS Pty Ltd.)
    2 HICAPSConnectServiceAgent; "C:\Program Files\HICAPSConnect\HICAPSConnectServiceAgent.exe" [159232 2010-12-08] (HICAPS Pty Ltd.)
    2 RServer3; "C:\Windows\system32\rserver30\RServer3.exe" /service [1242504 2009-10-08] (Famatech Corp.)
    2 tvnserver; "C:\Program Files\ShowMyPCService\tvnserver.exe" -service [815704 2010-07-08] (GlavSoft LLC.)
    2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
    2 MSSQL$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\sqlservr.exe" -sBPSCLIENT [x]
    4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
    3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
    4 SQLAgent$BPSCLIENT; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\SQLAGENT.EXE" -I BPSCLIENT [x]
    2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
    2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 mirrorv3; C:\Windows\System32\DRIVERS\rminiv3.sys [3328 2009-10-08] (Famatech International Corp.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-12] ()
    1 raddrvv3; \??\C:\Windows\system32\rserver30\raddrvv3.sys [46304 2009-10-08] (Famatech Corp.)
    4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-02] (Microsoft Corporation)
    3 SiS6350; C:\Windows\System32\DRIVERS\SISGRKMD.sys [466432 2010-12-14] (Silicon Integrated Systems Corporation)
    3 SiSGbeLH; C:\Windows\System32\DRIVERS\SiSGB6.sys [48128 2009-07-13] (Silicon Integrated Systems Corp.)
    0 uagp35; C:\Windows\System32\DRIVERS\sisagpx.sys [58400 2009-07-31] (Silicon Integrated Systems Corporation)
    3 USA19H; C:\Windows\System32\DRIVERS\USA19H2k.sys [704000 2007-10-29] (Keyspan)
    3 USA19H2KP; C:\Windows\System32\DRIVERS\USA19H2kp.SYS [24192 2007-05-28] (Keyspan)

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-25 15:00 - 2012-07-25 15:00 - 00000000 ____D C:\FRST
    2012-07-24 20:34 - 2012-07-24 20:34 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Malwarebytes
    2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-24 20:18 - 2012-07-24 20:18 - 00000000 ____D C:\Users\Joe\AppData\Local\Apple
    2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
    2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
    2012-07-20 17:21 - 2012-07-25 14:07 - 00000000 ____D C:\Windows\Microsoft Antimalware
    2012-07-19 23:03 - 2012-07-24 20:25 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-07-19 22:35 - 2012-07-25 14:07 - 00000000 ____D C:\17356577a7292a18f53f580eadbc6466
    2012-07-19 22:35 - 2012-07-19 22:35 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
    2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Mozilla
    2012-07-19 21:49 - 2012-07-19 21:49 - 00000000 ____D C:\Users\Joe\AppData\Local\Mozilla
    2012-07-19 21:26 - 2012-07-24 20:17 - 00000000 ____D C:\Users\Joe\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
    2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
    2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-16 17:30 - 2012-07-16 17:31 - 00000000 ____D C:\Program Files\ShowMyPCService
    2012-07-16 17:22 - 2012-07-16 17:22 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-16 17:20 - 2012-07-16 17:22 - 00000000 ____D C:\Users\All Users\036DFF35356E2ADFFB9A5B664F147C45
    2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF2A1B5D-CFAD-11E1-8270-B8AC6F996F26}
    2012-07-16 17:20 - 2012-07-16 17:20 - 00000000 ____D C:\Users\ReceptionAM\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
    2012-07-15 20:20 - 2012-07-15 21:43 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
    2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
    2012-07-10 17:47 - 2012-07-10 18:21 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
    2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
    2012-06-26 17:19 - 2012-06-04 22:23 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub

    ============ 3 Months Modified Files ========================

    2012-07-24 20:53 - 2010-12-06 20:52 - 00000128 ____A C:\Windows\System32\config\netlogon.ftl
    2012-07-24 20:53 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-24 20:52 - 2009-07-13 20:39 - 00057810 ____A C:\Windows\setupact.log
    2012-07-24 20:26 - 2012-07-24 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-24 20:26 - 2010-07-04 19:53 - 01817015 ____A C:\Windows\WindowsUpdate.log
    2012-07-24 20:25 - 2010-07-04 20:12 - 00895510 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-24 20:19 - 2011-04-19 17:34 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155UA.job
    2012-07-24 20:08 - 2012-07-24 20:08 - 00143656 ____A C:\Windows\Minidump\072512-17971-01.dmp
    2012-07-24 20:08 - 2012-01-16 17:31 - 145530280 ____A C:\Windows\MEMORY.DMP
    2012-07-24 20:03 - 2012-07-24 20:03 - 00130050 ____A C:\SiSKmd_1.dmp
    2012-07-19 23:11 - 2010-07-05 21:21 - 00111560 ____A C:\Users\admin-ashmore-2\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-19 21:26 - 2011-10-24 16:01 - 00111560 ____A C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-17 19:17 - 2011-05-16 17:45 - 00000448 ___AH C:\Windows\Tasks\Norton Security Scan for ReceptionAM.job
    2012-07-17 15:19 - 2011-04-19 17:34 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155Core.job
    2012-07-16 19:04 - 2010-07-05 21:20 - 00039590 ____A C:\Windows\PFRO.log
    2012-07-16 18:31 - 2012-07-16 18:31 - 00000600 ____A C:\Windows\PUTTY.RND
    2012-07-16 17:35 - 2012-07-16 17:35 - 00001079 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-15 21:43 - 2012-07-15 20:20 - 00013434 ____A C:\Users\ReceptionAM\Desktop\Stocktake.xlsx
    2012-07-11 15:23 - 2011-04-19 17:34 - 00002443 ____A C:\Users\ReceptionAM\Desktop\Google Chrome.lnk
    2012-07-10 18:21 - 2012-07-10 18:21 - 00009835 ____A C:\Users\ReceptionAM\Desktop\staff contacts.xlsx
    2012-07-10 18:21 - 2012-07-10 17:47 - 00010205 ____A C:\Users\ReceptionAM\Desktop\buisnesscontacts.xlsx
    2012-07-02 19:46 - 2011-07-17 18:10 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-02 09:13 - 2010-07-04 23:31 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-01 23:11 - 2012-07-01 23:11 - 00021809 ____A C:\Users\ReceptionAM\Desktop\Robina Roster July 2012.xlsx
    2012-06-24 17:21 - 2012-02-08 18:05 - 00046810 ____A C:\Users\ReceptionAM\Documents\VOMailMerge.csv
    2012-06-18 20:56 - 2012-06-18 20:56 - 00022757 ____A C:\Users\ReceptionAM\Desktop\JaniceSbookingInvoiceA51.xls
    2012-06-05 14:29 - 2011-07-11 17:13 - 00001047 ____A C:\Users\ReceptionAM\Desktop\Dropbox.lnk
    2012-06-04 22:23 - 2012-06-26 17:19 - 00201728 ____A C:\Users\ReceptionAM\Desktop\GiftCertificate.pub
    2012-05-20 17:53 - 2012-05-20 17:54 - 00002141 ____A C:\Users\ReceptionAM\Desktop\ALL reception documents.lnk

    ZeroAccess:
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@

    ZeroAccess:
    C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
    C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 2943.24 MB
    Available physical RAM: 2528.12 MB
    Total Pagefile: 2941.52 MB
    Available Pagefile: 2530.46 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1956.7 MB

    ======================= Partitions =========================

    2 Drive c: (NLServer) (Fixed) (Total:136.52 GB) (Free:22.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    3 Drive d: (PRESARIO_RP) (Fixed) (Total:12.51 GB) (Free:2.87 GB) FAT32
    5 Drive f: () (Removable) (Total:3.73 GB) (Free:2.38 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B
    Disk 1 Online 3819 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 136 GB 31 KB
    Partition 2 Primary 12 GB 136 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NLServer NTFS Partition 136 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D PRESARIO_RP FAT32 Partition 12 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3818 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 3818 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 19:19

    ======================= End Of Log ==========================
  2. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  4. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Thanks, FRST log above, no changes done since then :) Awaiting Fix log and then ill do the combofix step
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I know about the FRST log above. Please do the search for services.exe so we can replace the file.

    Also, please wait to run ComboFix till my queue.
  6. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Oh sorry I didnt see that. I will get back into work tomorrow and do that :)
    DragonMasterJay likes this.
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    I look forward to it! :)
  8. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Ok Dragon, crazy day at work.
    Let me know next step :)

    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-27 16:13:47
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows.old\Windows\system32\services.exe
    [2004-08-04 04:00] - [2009-02-06 09:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

    C:\Windows.old\Windows\system32\dllcache\services.exe
    [2004-08-04 04:00] - [2009-02-06 09:14] - 0110592 ___AC (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

    C:\Windows.old\Windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
    [2009-07-21 17:56] - [2008-04-13 16:12] - 0108544 ____A (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

    C:\Windows.old\Windows\$NtUninstallKB956572$\services.exe
    [2009-07-21 23:38] - [2004-08-04 04:00] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\Windows.old\Windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [2009-07-21 17:50] - [2009-02-06 03:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

    C:\Windows.old\Windows\$hf_mig$\KB956572\SP3GDR\services.exe
    [2009-07-21 17:50] - [2009-02-06 03:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

    C:\Windows.old\Windows\$hf_mig$\KB956572\SP2QFE\services.exe
    [2009-07-21 17:50] - [2009-02-06 02:22] - 0110592 ____A (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  10. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    THANK YOU VERY MUCH!!!!
    Much appreciated, no auto resetting

    I am running scans now to see if gone but here is the log

    start
    SubSystems: [Windows] ==> ZeroAccess
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\ReceptionAM\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
    end


    My firewall in win 7 still wont turn back on so I cant use Windows defender... downloaded MS firewall fix it program and it tried to restart services but no go?
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    No worries. Let's keep going here...

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  13. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    I got a virus myself so was away from work! Running the Combo fix now
     
  14. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Log
    ComboFix 12-08-09.01 - Joe 10/08/2012 12:58:59.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2943.1978 [GMT 10:00]
    Running from: \\BGHSERVER\Data\Nathan\virus removal\firesef.R\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\2407.tmp
    C:\503E.tmp
    C:\5B37.tmp
    C:\63ED.tmp
    C:\A3C5.tmp
    C:\E4F7.tmp
    c:\program files\Freeze.com\NetAssistant\NeTAssistant.dll
    c:\users\ReceptionAM\g2mdlhlpx.exe
    c:\windows\system32\service
    c:\windows\system32\service\14092010_TIS17_SfFniAU.log
    c:\windows\system32\service\15102010_TIS17_SfFniAU.log
    c:\windows\system32\service\26082010_TIS17_SfFniAU.log
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    D:\Autorun.inf
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-10 03:21 . 2012-07-15 16:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA2DFBDC-E7A7-4CE2-BA22-836633E9F063}\mpengine.dll
    2012-08-10 03:06 . 2012-08-10 03:25 -------- d-----w- c:\users\Joe\AppData\Local\temp
    2012-08-10 03:06 . 2012-08-10 03:06 -------- d-----w- c:\users\ReceptionAM\AppData\Local\temp
    2012-08-10 02:51 . 2012-08-10 02:51 -------- d-----w- c:\users\Joe\AppData\Local\Macromedia
    2012-08-10 02:48 . 2012-08-10 02:48 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-01 05:41 . 2012-07-15 16:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-25 23:00 . 2012-07-25 23:00 -------- d-----w- C:\FRST
    2012-07-25 04:34 . 2012-07-25 04:34 -------- d-----w- c:\users\Joe\AppData\Roaming\Malwarebytes
    2012-07-25 04:32 . 2012-07-25 04:32 -------- d-----w- c:\users\Joe\AppData\Local\ElevatedDiagnostics
    2012-07-25 04:28 . 2012-02-09 04:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{51ACEA23-C50D-4C10-BA81-B9414DE2C63D}\gapaengine.dll
    2012-07-25 04:18 . 2012-07-25 04:18 -------- d-----w- c:\users\Joe\AppData\Local\Apple
    2012-07-21 01:21 . 2012-07-25 22:07 -------- d-----w- c:\windows\Microsoft Antimalware
    2012-07-20 07:03 . 2012-07-25 04:25 -------- d-----w- c:\program files\Microsoft Security Client
    2012-07-20 06:35 . 2012-07-20 06:35 -------- d-----w- c:\users\Joe\AppData\Local\Adobe
    2012-07-20 06:35 . 2012-07-25 22:07 -------- d-----w- C:\17356577a7292a18f53f580eadbc6466
    2012-07-20 05:49 . 2012-07-20 05:49 -------- d-----w- c:\users\Joe\AppData\Local\Mozilla
    2012-07-20 05:26 . 2012-07-25 04:17 -------- d-----w- c:\users\Joe\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
    2012-07-17 01:30 . 2012-07-17 01:31 -------- d-----w- c:\program files\ShowMyPCService
    2012-07-17 01:22 . 2012-07-17 01:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-17 01:20 . 2012-07-17 01:22 -------- d-----w- c:\programdata\036DFF35356E2ADFFB9A5B664F147C45
    2012-07-17 01:20 . 2012-07-17 01:20 -------- d-----w- c:\users\ReceptionAM\AppData\Local\{FF2A1B5D-CFAD-11E1-8270-B8AC6F996F26}
    2012-07-17 01:20 . 2012-07-17 01:20 -------- d-----w- c:\users\ReceptionAM\AppData\Local\{FF29E5BF-CFAD-11E1-8270-B8AC6F996F26}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-10 02:48 . 2011-06-19 22:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-03 03:46 . 2011-07-18 02:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-03 00:07 . 2011-03-03 00:07 8768200 ----a-w- c:\program files\Common Files\lpuninstall.exe
    2012-06-25 22:56 . 2012-06-19 06:46 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-10-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
    [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2010-12-15 557056]
    "tvncontrol"="c:\program files\ShowMyPCService\tvnserver.exe" [2010-07-08 815704]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\admin-ashmore-2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-3-3 8768200]
    Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-3-3 8768200]
    .
    c:\users\ReceptionAM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HCN Automatic Update.lnk - c:\program files\Health Communication Network\HCN Automatic Update\Hcn.Common.Updates.Server.exe [2010-12-22 239104]
    HICAPS Connect Service Setup.lnk - c:\program files\HICAPSConnect\HicapsConnectServiceController.exe [2010-12-9 883712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-04-20 01:34 136176 ----atw- c:\users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [x]
    R3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    R4 Erx Standard Adapter Service;Erx Standard Adapter Service;c:\program files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe [x]
    R4 Erx Standard Adapter Store & Forward Service;Erx Standard Adapter Store & Forward Service;c:\program files\Best Practice Software\BPS\eRx\Erx.ScriptExchangeAdapter.StandardAdapter.exe [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
    R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]
    R4 SQLAgent$BPSCLIENT;SQL Server Agent (BPSCLIENT);c:\program files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\SQLAGENT.EXE [x]
    S1 MpKsl8832b454;MpKsl8832b454;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F5B05B-D8DA-4927-BEDA-70295E908358}\MpKsl8832b454.sys [x]
    S1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [x]
    S2 HCNServiceManager;HCN Service Manager;c:\program files\Health Communication Network\HCN Service Manager\HcnServiceManagerService.exe [x]
    S2 HicapsConnectServer;HICAPS Connect Server;c:\program files\HICAPSConnect\HICAPSConnectService.exe [x]
    S2 HICAPSConnectServiceAgent;HICAPS Connect Agent;c:\program files\HICAPSConnect\HICAPSConnectServiceAgent.exe [x]
    S2 MSSQL$BPSCLIENT;SQL Server (BPSCLIENT);c:\program files\Microsoft SQL Server\MSSQL10_50.BPSINSTANCE\MSSQL\Binn\sqlservr.exe [x]
    S2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\RServer3.exe [x]
    S2 tvnserver;TightVNC Server;c:\program files\ShowMyPCService\tvnserver.exe [x]
    S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [x]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    GPSvcGroup REG_MULTI_SZ GPSvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155Core.job
    - c:\users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 01:34]
    .
    2012-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3940439834-2066084479-3458484032-1155UA.job
    - c:\users\ReceptionAM\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 01:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://companyweb
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
    IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
    TCP: DhcpNameServer = 192.168.1.254 8.8.8.8 192.168.1.1
    FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\1m17iret.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10x_Plugin.exe
    MSConfigStartUp-NvCplDaemonTool - c:\users\RECEPT~1\xbload86.dll
    MSConfigStartUp-PC Speed Maximizer - c:\program files\PC Speed Maximizer\SPMStarter.exe
    MSConfigStartUp-SPMTray - c:\program files\PC Speed Maximizer\SPMTray.exe
    MSConfigStartUp-Startw3i - c:\program files\PC Speed Maximizer\Startw3i.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\AUDIODG.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\programdata\Macrovision\FLEXnet Connect\11\agent.exe
    c:\windows\system32\rserver30\FamItrfc.Exe
    c:\windows\system32\rserver30\FamItrfc.Exe
    c:\windows\system32\zshp1020.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-10 13:27:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-10 03:27
    .
    Pre-Run: 24,638,468,096 bytes free
    Post-Run: 24,647,561,216 bytes free
    .
    - - End Of File - - C4ED9CF45CEEF65BA91D83036EB44BC8

    Defender turned on but then had error and turned back off :(
    Windows firewall is now able to be turned on!
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
  17. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Sorry I am still unwell and only back at work 1 day. I will try the above and get back to you.
    Thanks!
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Get back when you can.
  19. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    FRST log and Services log

    FRST
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-09-2012 03
    Ran by SYSTEM at 16-09-2012 22:28:17
    Running from F:\
    Windows 7 Professional (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-10] (Logitech Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
    HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3524536 2012-08-30] (Samsung Electronics Co., Ltd.)
    HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [1667072 2012-02-27] (AimerSoft)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-23] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-02] (Sun Microsystems, Inc.)
    HKU\Andrew\...\Run: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-01] (Google Inc.)
    HKU\Andrew\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-22] (Apple Inc.)
    HKU\Andrew\...\Run: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\970\g2mstart.exe" "/Trigger RunAtLogon" [39848 2012-06-02] (Citrix Online, a division of Citrix Systems, Inc.)
    HKU\Andrew\...\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload [964024 2012-08-30] (Samsung)
    HKU\Andrew\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21432 2012-08-30] ()
    Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
    Tcpip\..\Interfaces\{EF92238C-0F59-4C22-9825-A454B0B9ECD6}: [NameServer]10.4.182.20 10.4.81.103
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$1e4e482e9a02224eafa2c123cb155270\n. ATTENTION! ====> ZeroAccess
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
    ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\WD Quick View.lnk
    ShortcutTarget: WD Quick View.lnk -> C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe (Western Digital Technologies, Inc.)
    Startup: C:\Users\Andrew\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ==================== Services (Whitelisted) ===================

    2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [9663848 2011-04-10] (DisplayLink Corp.)
    3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-11] (Symantec Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    2 N360; "C:\Program Files (x86)\Norton 360\Engine\6.2.1.5\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\6.2.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [288112 2010-08-30] (Sierra Wireless, Inc.)
    2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe" [317328 2011-07-31] (WDC)
    2 WDFMEService; "C:\Program Files\Western Digital\WD SmartWare\WDFME.exe" [1978256 2011-07-31] (Western Digital )
    2 WDRulesService; "C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe" [1338256 2011-07-31] (Western Digital )
    3 SymSnapService; "C:\Program Files (x86)\Norton Ghost\Shared\Drivers\SymSnapServicex64.exe" [x]

    ==================== Drivers (Whitelisted) =====================

    1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\BASHDefs\20120804.001\BHDrvx64.sys [1161376 2012-06-18] (Symantec Corporation)
    1 ccSet_N360; C:\Windows\system32\drivers\N360x64\0602010.005\ccSetx64.sys [167048 2011-11-29] (Symantec Corporation)
    3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [17408 2011-04-10] (http://libusb-win32.sourceforge.net)
    1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-05-31] (Symantec Corporation)
    3 GenericMount; C:\Windows\System32\Drivers\GenericMount.sys [66608 2010-02-11] (Symantec Corporation)
    1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\IPSDefs\20120810.001\IDSvia64.sys [509088 2012-06-14] (Symantec Corporation)
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\VirusDefs\20120813.003\ENG64.SYS [120440 2012-08-13] (Symantec Corporation)
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.1.2.10\Definitions\VirusDefs\20120813.003\EX64.SYS [2068600 2012-08-13] (Symantec Corporation)
    3 skfiltv; C:\Windows\System32\Drivers\skfiltv.sys [24064 2008-08-13] (Creative Technology Ltd.)
    3 SRTSP; C:\Windows\System32\Drivers\N360x64\0602010.005\SRTSP64.SYS [737912 2012-03-28] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\N360x64\0602010.005\SRTSPX64.SYS [37496 2012-03-28] (Symantec Corporation)
    3 swiwdmbus; C:\Windows\System32\DRIVERS\swiwdmbusx64.sys [102656 2010-06-20] (Sierra Wireless Inc.)
    3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [286720 2010-06-20] (Sierra Wireless Inc.)
    3 SWUMXA3; C:\Windows\System32\Drivers\SWUMXA3.sys [210944 2010-06-20] (Sierra Wireless Inc.)
    0 SymDS; C:\Windows\System32\drivers\N360x64\0602010.005\SYMDS64.SYS [451192 2012-01-17] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\N360x64\0602010.005\SYMEFA64.SYS [1092728 2012-01-17] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-04-19] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\N360x64\0602010.005\Ironx64.SYS [190072 2012-01-17] (Symantec Corporation)
    1 SymNetS; C:\Windows\System32\Drivers\N360x64\0602010.005\SYMNETS.SYS [405624 2012-01-17] (Symantec Corporation)
    3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [x]
    3 ew_hwusbdev; C:\Windows\System32\DRIVERS\ew_hwusbdev.sys [x]
    3 huawei_enumerator; C:\Windows\System32\DRIVERS\ew_jubusenum.sys [x]
    3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [x]
    0 SMR310; C:\Windows\System32\drivers\SMR310.SYS [x]
    3 SWUMX20; C:\Windows\System32\DRIVERS\swumx20.sys [x]
    2 V2iMount; [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-09-16 22:28 - 2012-09-16 22:28 - 00000000 ____D C:\FRST
    2012-09-16 04:15 - 2012-09-16 04:16 - 01454171 ____A (Farbar) C:\Users\Andrew\Downloads\FRST64.exe
    2012-09-16 04:00 - 2012-09-16 04:00 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-16 04:00 - 2012-09-16 04:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-09-16 04:00 - 2012-09-16 04:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-09-16 02:50 - 2012-09-16 03:50 - 12621696 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (2).exe
    2012-09-16 02:50 - 2012-09-16 02:50 - 06328367 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1) (1).exe
    2012-09-16 00:16 - 2012-09-16 00:23 - 00587640 ____A C:\Users\Andrew\Downloads\cbsidlm-tr1_6-HitmanPro_3_64bit-75110395.exe
    2012-09-15 23:48 - 2012-09-16 02:50 - 06328367 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1).exe
    2012-09-15 23:44 - 2012-09-15 23:47 - 00468900 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall.exe
    2012-09-15 23:13 - 2012-09-15 23:21 - 02892816 ____A (Symantec Corporation) C:\Users\Andrew\Downloads\NPE (1).exe
    2012-09-15 23:00 - 2012-09-15 23:26 - 11926300 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\Unconfirmed 34344.crdownload
    2012-09-14 03:14 - 2012-09-14 03:19 - 00000000 ____D C:\Users\Andrew\Desktop\Toowoomba
    2012-09-13 23:07 - 2012-09-13 23:08 - 00000000 ____D C:\Users\Andrew\Desktop\ebay
    2012-09-13 03:35 - 2012-09-13 03:54 - 00000000 ____D C:\Users\Andrew\Desktop\Electrical Contractors Course
    2012-09-08 23:06 - 2012-07-31 02:42 - 00203104 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
    2012-09-08 23:06 - 2012-07-31 02:42 - 00102240 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
    2012-09-03 00:43 - 2012-09-15 23:40 - 00000000 ____D C:\Users\Andrew\AppData\Local\NPE
    2012-09-03 00:43 - 2012-09-03 00:43 - 02892816 ____A (Symantec Corporation) C:\Users\Andrew\Downloads\NPE.exe
    2012-08-31 12:31 - 2012-08-31 12:31 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2012-08-29 12:28 - 2012-08-29 12:28 - 00003038 ____A C:\Users\Andrew\Downloads\DISCOVER HOW TO MAKE THOUSANDS PER DAY WITH THIS -RISK FREE- BUSINESS SYSTEM.ics
    2012-08-23 01:57 - 2012-08-27 18:44 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
    2012-08-20 02:32 - 2012-08-20 02:32 - 00000000 ____D C:\Users\Andrew\Downloads\forex_turbo_scalper_demo
    2012-08-20 02:20 - 2012-08-20 02:20 - 00524500 ____A C:\Users\Andrew\Downloads\forex_turbo_scalper_demo.zip

    ==================== 3 Months Modified Files ==================

    2012-09-16 04:16 - 2012-09-16 04:15 - 01454171 ____A (Farbar) C:\Users\Andrew\Downloads\FRST64.exe
    2012-09-16 04:15 - 2011-11-01 01:55 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3607153244-3773723124-3608077106-1001UA.job
    2012-09-16 04:02 - 2011-06-27 23:33 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-16 04:01 - 2011-06-25 15:38 - 01513646 ____A C:\Windows\WindowsUpdate.log
    2012-09-16 04:00 - 2012-09-16 04:00 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-09-16 04:00 - 2011-07-31 14:12 - 00747860 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-09-16 03:50 - 2012-09-16 02:50 - 12621696 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (2).exe
    2012-09-16 03:22 - 2012-06-10 14:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-09-16 02:50 - 2012-09-16 02:50 - 06328367 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1) (1).exe
    2012-09-16 02:50 - 2012-09-15 23:48 - 06328367 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1).exe
    2012-09-16 00:23 - 2012-09-16 00:16 - 00587640 ____A C:\Users\Andrew\Downloads\cbsidlm-tr1_6-HitmanPro_3_64bit-75110395.exe
    2012-09-15 23:47 - 2012-09-15 23:44 - 00468900 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall.exe
    2012-09-15 23:39 - 2009-07-13 20:45 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-15 23:39 - 2009-07-13 20:45 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-15 23:38 - 2009-07-13 21:13 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-15 23:32 - 2012-02-12 06:00 - 00045796 ____A C:\Windows\setupact.log
    2012-09-15 23:32 - 2011-06-27 23:33 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-15 23:32 - 2011-06-25 15:36 - 00017408 ____A C:\Windows\SysWOW64\rpcnetp.dll
    2012-09-15 23:32 - 2011-06-25 15:35 - 00017408 ____A C:\Windows\SysWOW64\rpcnetp.exe
    2012-09-15 23:32 - 2011-06-25 15:35 - 00017408 ____A C:\Windows\System32\rpcnetp.exe
    2012-09-15 23:32 - 2011-06-25 00:13 - 00058288 ____A (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll
    2012-09-15 23:32 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-15 23:26 - 2012-09-15 23:00 - 11926300 ____A (Microsoft Corporation) C:\Users\Andrew\Downloads\Unconfirmed 34344.crdownload
    2012-09-15 23:21 - 2012-09-15 23:13 - 02892816 ____A (Symantec Corporation) C:\Users\Andrew\Downloads\NPE (1).exe
    2012-09-10 01:53 - 2011-06-25 15:23 - 00000204 ____A C:\Windows\MYOBP.INI
    2012-09-10 01:53 - 2011-06-25 15:23 - 00000039 ____A C:\Windows\MYOB.INI
    2012-09-08 01:45 - 2011-11-01 01:55 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3607153244-3773723124-3608077106-1001Core.job
    2012-09-03 00:43 - 2012-09-03 00:43 - 02892816 ____A (Symantec Corporation) C:\Users\Andrew\Downloads\NPE.exe
    2012-08-31 12:31 - 2012-08-31 12:31 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2012-08-31 12:31 - 2012-08-13 12:32 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
    2012-08-31 12:31 - 2012-08-13 12:32 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2012-08-31 12:31 - 2012-04-23 15:27 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2012-08-31 12:31 - 2012-04-23 15:27 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2012-08-31 12:31 - 2011-11-08 15:32 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2012-08-29 12:28 - 2012-08-29 12:28 - 00003038 ____A C:\Users\Andrew\Downloads\DISCOVER HOW TO MAKE THOUSANDS PER DAY WITH THIS -RISK FREE- BUSINESS SYSTEM.ics
    2012-08-27 02:23 - 2012-06-10 14:28 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-27 02:23 - 2011-06-27 22:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-26 18:51 - 2011-06-25 15:45 - 00186880 __ASH C:\Users\Andrew\Documents\Thumbs.DB
    2012-08-20 02:20 - 2012-08-20 02:20 - 00524500 ____A C:\Users\Andrew\Downloads\forex_turbo_scalper_demo.zip
    2012-08-13 12:20 - 2012-08-13 12:20 - 00893936 ____A (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u5 (1).exe
    2012-08-13 12:14 - 2012-08-13 12:14 - 00893936 ____A (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u5.exe
    2012-08-06 17:08 - 2012-02-13 15:16 - 00056520 ____A C:\Windows\PFRO.log
    2012-07-31 02:42 - 2012-09-08 23:06 - 00203104 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
    2012-07-31 02:42 - 2012-09-08 23:06 - 00102240 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
    2012-07-26 12:17 - 2009-07-13 21:08 - 00032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-24 00:16 - 2012-07-24 00:16 - 06836736 ____A C:\Users\Andrew\Desktop\Banners.pub


    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-3607153244-3773723124-3608077106-1001\$1e4e482e9a02224eafa2c123cb155270

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-08-07 08:58:37
    Restore point made on: 2012-08-13 12:31:22
    Restore point made on: 2012-08-13 12:32:51
    Restore point made on: 2012-08-15 14:35:51
    Restore point made on: 2012-08-22 13:15:27
    Restore point made on: 2012-08-24 15:02:29
    Restore point made on: 2012-08-27 01:23:22
    Restore point made on: 2012-08-31 12:30:58
    Restore point made on: 2012-09-03 00:49:56

    ==================== Memory info ===========================

    Percentage of memory in use: 15%
    Total physical RAM: 4056.89 MB
    Available physical RAM: 3427.36 MB
    Total Pagefile: 4055.04 MB
    Available Pagefile: 3418.68 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:465.66 GB) (Free:289.59 GB) NTFS
    3 Drive f: () (Removable) (Total:7.39 GB) (Free:7.38 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 Online 7580 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 465 GB 101 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 465 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7576 MB 4096 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 7576 MB Healthy

    =========================================================

    Last Boot: 2012-09-06 18:32

    ==================== End Of Log =============================
  20. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Services log
    Farbar Recovery Scan Tool (x64) Version: 15-09-2012 03
    Ran by SYSTEM at 2012-09-16 22:29:37
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
  21. R6n350GT

    R6n350GT Newcomer, in training Topic Starter

    Thanks Very Much in advance for your help with this.
    Please let me know if you need more info.
    All sorts of random websites open when I open a new webpage. *WEBSITE REMOVED* is the most common to open but many others.
    Was running norton 360 but it was disabled. Windows Security essentials found sirefef files that were all quarantined before I was told not to let the program remove the infections.
    Thanks again
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Download the attached file, please. Save it on your flash drive to replace the current fixlist.txt. Make sure it maintains its current name fixlist.txt.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Attached Files:

  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Thread marked inactive. We'd like to continue to assist. Please make a return ASAP!
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! This is the last check-in for you. Please update us on your situation here. We'd love to help!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.