TechSpot

Sirefef trojan endless reboot

By hleshot
Jul 20, 2012
  1. Log :
    Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
    Ran by SYSTEM at 20-07-2012 16:15:30
    Running from D:\
    Windows Vista (TM) Home Premium Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet003
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [6975520 2009-02-24] (Realtek Semiconductor)
    HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [x]
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16308768 2009-05-16] (NVIDIA Corporation)
    HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [182808 2008-07-20] (Intel Corporation)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128232 2009-02-04] (CyberLink Corp.)
    HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKU\berto\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-09] (Google Inc.)
    HKU\berto\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\berto\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
    HKU\bird1\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-09] (Google Inc.)
    HKU\bird1\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\RA Media Server\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Setup\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-02-09] (Google Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.100.10
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\timeQplus.lnk
    ShortcutTarget: timeQplus.lnk -> C:\Program Files (x86)\Acroprint\timeQplusV3\TimeAttendance.exe (Acroprint Time Recorder Co. (USA).)
    Startup: C:\Users\berto\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
    Startup: C:\Users\bird1\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\RA Media Server\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Setup\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    ==================== Services (Whitelisted) ======
    2 DpHost; C:\Program Files (x86)\ZKSensor\bin\DpHost.exe [237568 2008-10-26] (DigitalPersona, Inc.)
    2 dsl-db; "C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe" "--defaults-file=C:\Program Files (x86)\Common Files\Dell\MySQL\my.ini" dsl-db [9560 2010-02-25] ()
    4 iZHost; "C:\Program Files (x86)\ZKSensor\bin\iZHost.exe" [245760 2009-01-15] (ZKSoftware Inc)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
    ========================== Drivers (Whitelisted) =============
    3 dpK00701; C:\Windows\SysWow64\Drivers\dpK00701.sys [46592 2008-10-26] (DigitalPersona, Inc.)
    3 JeppDrive; C:\Windows\System32\Drivers\JeppDrive.sys [26712 2010-05-17] (SMART Modular)
    3 usbdpfp; C:\Windows\SysWow64\Drivers\usbdpfp.sys [47104 2008-10-26] (DigitalPersona, Inc.)
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-07-20 16:15 - 2012-07-20 16:15 - 00000000 ____D C:\FRST
    2012-07-20 14:46 - 2012-07-20 14:46 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\otoiynsh.sys
    2012-07-20 14:22 - 2012-07-20 14:30 - 00064665 ____A C:\Users\bird1\Desktop\yorkyt.exe.log
    2012-07-20 14:22 - 2012-07-20 14:11 - 01415784 ____A C:\Users\bird1\Desktop\yorkyt.exe
    2012-07-20 14:22 - 2012-07-20 14:10 - 00137096 ____A (ESET) C:\Users\bird1\Desktop\ESETSirefefRemover.exe
    2012-07-20 14:16 - 2012-07-20 14:16 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ypjtvone.sys
    2012-07-20 13:59 - 2012-07-20 13:59 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dmzonluy.sys
    2012-07-20 13:49 - 2012-07-20 13:50 - 00000728 ____A C:\Users\berto\Desktop\stop shutdown.lnk
    2012-07-20 13:06 - 2012-07-20 13:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-07-20 13:01 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-20 13:01 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-20 13:01 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-20 13:01 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-20 13:01 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-20 13:01 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-20 13:01 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-20 13:01 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-20 13:01 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-20 13:01 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-20 13:01 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-20 13:01 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-20 13:01 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-20 13:01 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-20 13:01 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-20 13:01 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-20 13:01 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-20 13:01 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-20 13:01 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-20 13:01 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-20 13:01 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-20 13:01 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-20 13:01 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-20 13:01 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-20 13:01 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-20 13:01 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-20 13:01 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-20 13:01 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-20 13:00 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-20 12:37 - 2005-08-03 15:05 - 00035892 ____A (Prolific Technology Inc.) C:\Windows\SysWOW64\SER9PL.sys
    2012-07-20 12:37 - 2005-08-03 15:04 - 00026719 ____A C:\Windows\SysWOW64\SERSPL.VXD
    2012-07-17 12:33 - 2012-07-17 12:34 - 03282515 ____A C:\Users\berto\Documents\0000.wmv
    2012-07-17 12:29 - 2012-07-17 12:30 - 01756854 ____A C:\Users\berto\Documents\1Montano.bmp
    2012-07-17 12:02 - 2012-07-17 12:02 - 00000972 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    2012-07-16 13:13 - 2012-07-16 13:13 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-07-10 23:49 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-10 23:49 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-10 14:18 - 2012-07-10 14:18 - 00000000 ____D C:\Users\berto\Documents\DSDownloader
    2012-07-10 14:18 - 2012-07-10 14:18 - 00000000 ____D C:\Program Files\DiabloSport
    2012-07-10 14:13 - 2012-07-10 14:14 - 06342043 ____A (DiabloSport, Inc. ) C:\Users\berto\Downloads\DSDownloader_Installer_2.2.2.6.exe
    2012-06-26 10:16 - 2012-06-26 10:16 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-26 10:15 - 2012-06-26 10:16 - 00000000 ____D C:\Program Files\iTunes
    2012-06-26 10:15 - 2012-06-26 10:16 - 00000000 ____D C:\Program Files (x86)\iTunes
    2012-06-26 10:15 - 2012-06-26 10:15 - 00000000 ____D C:\Program Files\iPod
    2012-06-20 22:25 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-20 22:25 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-20 22:25 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-20 22:25 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-20 22:24 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-20 22:24 - 2012-06-02 14:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-20 22:24 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-20 22:24 - 2012-06-02 14:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-20 15:28 - 2012-06-20 15:28 - 00023531 ____A C:\Users\berto\Documents\Copy of Four-year profit projection yogurt (3).xlsx
    ============ 3 Months Modified Files ========================
    2012-07-20 14:46 - 2012-07-20 14:46 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\otoiynsh.sys
    2012-07-20 14:40 - 2010-01-20 10:12 - 00144499 ____A C:\Users\All Users\nvModes.dat
    2012-07-20 14:40 - 2010-01-20 10:12 - 00144499 ____A C:\Users\All Users\nvModes.001
    2012-07-20 14:39 - 2010-02-09 17:03 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-20 14:39 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-20 14:39 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-20 14:39 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-20 14:36 - 2010-02-08 16:40 - 00000680 ____A C:\Users\bird1\AppData\Local\d3d9caps.dat
    2012-07-20 14:30 - 2012-07-20 14:22 - 00064665 ____A C:\Users\bird1\Desktop\yorkyt.exe.log
    2012-07-20 14:18 - 2010-02-08 11:14 - 00102832 ____A C:\Users\bird1\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-20 14:16 - 2012-07-20 14:16 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ypjtvone.sys
    2012-07-20 14:11 - 2012-07-20 14:22 - 01415784 ____A C:\Users\bird1\Desktop\yorkyt.exe
    2012-07-20 14:10 - 2012-07-20 14:22 - 00137096 ____A (ESET) C:\Users\bird1\Desktop\ESETSirefefRemover.exe
    2012-07-20 13:59 - 2012-07-20 13:59 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dmzonluy.sys
    2012-07-20 13:50 - 2012-07-20 13:49 - 00000728 ____A C:\Users\berto\Desktop\stop shutdown.lnk
    2012-07-20 13:44 - 2010-01-20 03:58 - 01880687 ____A C:\Windows\WindowsUpdate.log
    2012-07-20 13:27 - 2012-04-12 10:03 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-20 13:21 - 2010-02-09 17:03 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-20 13:13 - 2006-11-02 07:21 - 00382952 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-20 13:10 - 2008-01-20 19:26 - 00062192 ____A C:\Windows\PFRO.log
    2012-07-20 13:06 - 2011-03-15 12:45 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-20 13:06 - 2010-02-25 10:10 - 00725804 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-20 13:04 - 2011-01-22 14:54 - 00000039 ____A C:\Windows\vbaddin.ini
    2012-07-17 12:34 - 2012-07-17 12:33 - 03282515 ____A C:\Users\berto\Documents\0000.wmv
    2012-07-17 12:30 - 2012-07-17 12:29 - 01756854 ____A C:\Users\berto\Documents\1Montano.bmp
    2012-07-17 12:02 - 2012-07-17 12:02 - 00000972 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    2012-07-11 20:22 - 2012-04-12 10:03 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-11 20:22 - 2011-05-25 11:01 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-11 16:06 - 2006-11-02 07:27 - 00265235 ____A C:\Windows\setupact.log
    2012-07-10 14:14 - 2012-07-10 14:13 - 06342043 ____A (DiabloSport, Inc. ) C:\Users\berto\Downloads\DSDownloader_Installer_2.2.2.6.exe
    2012-06-26 10:16 - 2012-06-26 10:16 - 00001696 ____A C:\Users\Public\Desktop\iTunes.lnk
    2012-06-25 12:54 - 2012-05-08 15:00 - 00023219 ____A C:\Users\berto\Documents\Copy of Four-year profit projection yogurt.xlsx
    2012-06-20 15:28 - 2012-06-20 15:28 - 00023531 ____A C:\Users\berto\Documents\Copy of Four-year profit projection yogurt (3).xlsx
    2012-06-20 15:24 - 2006-11-02 04:46 - 00710892 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-13 05:58 - 2012-07-20 13:00 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 14:52 - 2012-06-08 14:52 - 00358738 ____A C:\Users\berto\AppData\Local\dd_vcredistMSI0188.txt
    2012-06-08 14:52 - 2012-06-08 14:52 - 00012990 ____A C:\Users\berto\AppData\Local\dd_vcredistUI0188.txt
    2012-06-08 14:52 - 2010-10-06 09:12 - 00000031 ____A C:\Windows\JSUMUpdater.ini
    2012-06-08 09:59 - 2012-07-10 23:49 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 09:47 - 2012-07-10 23:49 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-02 14:19 - 2012-06-20 22:25 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-20 22:25 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-20 22:25 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-20 22:24 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:19 - 2012-06-20 22:24 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 14:15 - 2012-06-20 22:25 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-20 22:24 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 14:12 - 2012-06-20 22:24 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-02 04:49 - 2012-07-20 13:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-20 13:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-20 13:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-20 13:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-20 13:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-20 13:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-20 13:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-20 13:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-20 13:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-20 13:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-20 13:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-20 13:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-20 13:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-20 13:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-20 13:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-20 13:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-20 13:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-20 13:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-20 13:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-20 13:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-20 13:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-20 13:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-20 13:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-20 13:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-20 13:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-20 13:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-20 13:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-20 13:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-29 09:53 - 2012-05-29 09:53 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
    2012-05-09 14:41 - 2012-05-09 14:41 - 00000165 ___AH C:\Users\berto\Documents\~$Copy of Four-year profit projection yogurt.xlsx
    2012-05-07 12:46 - 2012-05-07 12:45 - 01769618 ____A C:\Users\berto\Documents\marriageproposal.wmv
    2012-05-02 12:52 - 2012-05-02 12:52 - 00003906 ____A C:\Users\berto\Downloads\hersheysmillgolfclub.com.zip
    ZeroAccess:
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\@
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\L
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\n
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\U
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\L\00000004.@
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\L\1afb2d56
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\L\201d3dde
    C:\Windows\Installer\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\U\00000008.@
    ZeroAccess:
    C:\Users\berto\AppData\Local\{2f470416-15ed-8107-8aab-5b05cd2c7d13}
    C:\Users\berto\AppData\Local\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\@
    C:\Users\berto\AppData\Local\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\L
    C:\Users\berto\AppData\Local\{2f470416-15ed-8107-8aab-5b05cd2c7d13}\U
    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini
    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 7%
    Total physical RAM: 8182.07 MB
    Available physical RAM: 7537.11 MB
    Total Pagefile: 7927.96 MB
    Available Pagefile: 7501.18 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:683.57 GB) (Free:348.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: () (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT
    8 Drive j: (DVD Video Recording) (CDROM) (Total:1 GB) (Free:0 GB) UDF
    9 Drive x: (RECOVERY) (Fixed) (Total:15 GB) (Free:1.93 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 699 GB 0 B
    Disk 1 Online 1908 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 71 MB 32 KB
    Partition 2 Primary 15 GB 71 MB
    Partition 3 Primary 684 GB 15 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 FAT Partition 71 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 X RECOVERY NTFS Partition 15 GB Healthy Boot
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C OS NTFS Partition 684 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1908 MB 16 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 D FAT Removable 1908 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-07-20 08:14
    ======================= End Of Log ==========================
     
  2. hleshot

    hleshot TS Rookie Topic Starter

    Any help, greatlly appreciated. It's a Vista box that's in an endless reboot cycle with the "windows will restart in 1 minute message" at every boot instance.

    Thanks...in advance!
     
  3. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================

    In Vista or Windows 7: Boot to System Recovery Options and run FRST.
    In Windows XP: Please boot to UBCD and run FRST.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes to your reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...