Solved Sirefef.y removal

[tavliban]

Hello to all!

I have a laptop here running on windows 7 64 bit, and unfortunately it got infected with sirefef.y. When I understood what the problem was (since it was infected by an inexperienced user -> not me ), I uninstalled ms security essentials and reinstalled it. The problem however was to reboot after a 60 second warning.

Actions I have taken so far in order.

Ran kaspersky rescue disk and avira rescue disk with no result.
Booted into windows 7 and uninstalled mse in order not to reboot in 60 seconds. (successfully. I can now stay logged in in windows enviroment, but no firewall or antivirus is running)
Run a Malwarebytes' Anti-Malware test with the results attached.
Deleted all temporary data at Windows\temp folder and user folder.
Read this post here

https://www.techspot.com/community/topics/sirefef-removal-60-seconds-reboot.181609/

and ran an FRST with attached result.

However as I read here, manual solution is the only way.

So please help me out guys! Thanks in advance.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply. Do not attach, please!

 

[tavliban]

Hello and thanks for the quick reply... I did what you asked and here is the output... output was FRST.txt however on G:\ (the letter of the usb disk I use)

Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 17-08-2012 19:36:38
Running from G:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-05-26] (Elaborate Bytes AG)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [87336 2010-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2010-04-01] (cyberlink)
HKLM-x32\...\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [1828136 2007-08-07] (Nero AG)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-19] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475584 2010-11-19] (Microsoft Corporation)
HKU\Katerina\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe" [202024 2007-08-03] (Nero AG)
HKU\Katerina\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
HKU\Katerina\...\Run: [Google Update] "C:\Users\Katerina\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-25] (Google Inc.)
HKU\Katerina\...\Run: [Sony PC Companion] "C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe" /Background [445624 2012-05-31] (Sony)
Tcpip\Parameters: [DhcpNameServer] 10.5.80.1 194.30.220.110

==================== Services (Whitelisted) ======

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [836904 2007-08-07] (Nero AG)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [382248 2007-08-03] (Nero AG)
3 Sony PC Companion; "C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe" [155320 2012-01-18] (Avanquest Software)

========================== Drivers (Whitelisted) =============

1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-04-22] (DT Soft Ltd)
2 MySQL; "C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.5\my.ini" MySQL [8914 2011-04-03] ()
3 rimsptsk; C:\Windows\System32\DRIVERS\rimssn64.sys [85504 2008-08-01] (REDC)
2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}; \??\C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [146928 2010-04-01] (CyberLink Corp.)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-17 17:33 - 2012-08-17 17:33 - 00000000 ____D C:\FRST
2012-08-17 05:21 - 2012-08-17 05:21 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-17 05:20 - 2012-08-17 05:52 - 00000000 ____D C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
2012-08-17 05:19 - 2012-08-17 05:19 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Katerina\Downloads\SpyHunter-Installer.exe
2012-08-17 05:19 - 2012-08-17 05:19 - 00000059 ___RH C:\Users\Katerina\Downloads\stinger.opt
2012-08-17 05:19 - 2012-08-17 05:19 - 00000000 ____D C:\Users\Katerina\AppData\Roaming\SpeedyPC Software
2012-08-17 05:19 - 2012-08-17 05:19 - 00000000 ____D C:\Users\Katerina\AppData\Roaming\DriverCure
2012-08-17 05:18 - 2012-08-17 05:47 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-08-17 05:17 - 2012-08-17 05:17 - 04983144 ____A (SpeedyPC Software) C:\Users\Katerina\Downloads\SpeedyPC Pro Installer.exe
2012-08-17 05:17 - 2012-08-17 05:17 - 00001205 ____A C:\Users\Katerina\Downloads\FixNCR.reg
2012-08-17 05:09 - 2012-08-17 05:27 - 00000000 ____D C:\Users\Katerina\Desktop\Virusremoval
2012-08-17 05:05 - 2012-08-17 05:05 - 00000000 ____D C:\Users\Katerina\AppData\Roaming\Malwarebytes
2012-08-17 05:04 - 2012-08-17 05:04 - 09817192 ____A (McAfee Inc.) C:\Users\Katerina\Downloads\stinger.exe
2012-08-17 05:04 - 2012-08-17 05:04 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 05:04 - 2012-08-17 05:04 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-17 05:04 - 2012-08-17 05:04 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-17 05:04 - 2012-07-03 02:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-17 05:03 - 2012-08-17 05:04 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Katerina\Downloads\mbam-setup.exe
2012-08-17 03:35 - 2012-08-17 03:40 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-08-17 00:01 - 2012-08-17 05:19 - 00000000 ____D C:\Program Files (x86)\stinger
2012-08-16 12:53 - 2012-08-16 12:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1B8B50754A1263DD
2012-08-16 12:48 - 2012-08-16 12:49 - 16476616 ____A (Microsoft Corporation) C:\Users\Katerina\Downloads\Windows-KB890830-V4.11.exe
2012-08-16 12:47 - 2012-08-16 12:47 - 00085527 ____A C:\Users\Katerina\Desktop\ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee.htm
2012-08-16 12:47 - 2012-08-16 12:47 - 00000000 ____D C:\Users\Katerina\Desktop\ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee_files
2012-08-16 12:43 - 2012-08-17 04:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-16 12:43 - 2012-08-17 04:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-16 12:41 - 2012-08-16 12:41 - 12621696 ____A (Microsoft Corporation) C:\Users\Katerina\Downloads\mseinstall.exe
2012-08-16 12:21 - 2012-08-16 12:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ggsemc_01009.Wdf
2012-08-16 12:21 - 2012-08-16 12:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ggflt_01009.Wdf
2012-08-16 12:14 - 2012-08-16 12:14 - 01721576 ____A (Microsoft Corporation) C:\Windows\System32\WdfCoInstaller01009.dll
2012-08-16 12:14 - 2012-08-16 12:14 - 00027760 ____A (Sony Ericsson Mobile Communications) C:\Windows\System32\Drivers\ggsemc.sys
2012-08-16 12:14 - 2012-08-16 12:14 - 00014448 ____A (Sony Ericsson Mobile Communications) C:\Windows\System32\Drivers\ggflt.sys
2012-08-16 12:13 - 2012-08-16 12:13 - 00000000 ____D C:\Users\All Users\Sony Ericsson
2012-08-16 12:13 - 2012-08-16 12:13 - 00000000 ____D C:\Program Files (x86)\Sony Ericsson
2012-07-31 12:28 - 2012-08-16 12:06 - 00000000 ____D C:\Users\All Users\0C1CFAEFE02ABDAFAE35B2CFF875EF60
2012-07-22 11:01 - 2012-07-22 11:01 - 106399901 ____N C:\Users\Katerina\Desktop\MOV_0010.mp4

============ 3 Months Modified Files ========================

2012-08-17 07:36 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-17 06:42 - 2011-03-27 07:44 - 00565244 ____A C:\Windows\System32\perfh008.dat
2012-08-17 06:42 - 2009-07-13 21:13 - 01378838 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-17 06:38 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-17 06:38 - 2009-07-13 20:51 - 00058713 ____A C:\Windows\setupact.log
2012-08-17 05:52 - 2011-03-27 05:28 - 01612460 ____A C:\Windows\WindowsUpdate.log
2012-08-17 05:52 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-17 05:52 - 2009-07-13 20:45 - 00014224 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-17 05:29 - 2012-04-25 12:30 - 00001206 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1411842853-294139791-1900781283-1000UA.job
2012-08-17 05:28 - 2012-04-12 23:54 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-17 05:19 - 2012-08-17 05:19 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Katerina\Downloads\SpyHunter-Installer.exe
2012-08-17 05:19 - 2012-08-17 05:19 - 00000059 ___RH C:\Users\Katerina\Downloads\stinger.opt
2012-08-17 05:17 - 2012-08-17 05:17 - 04983144 ____A (SpeedyPC Software) C:\Users\Katerina\Downloads\SpeedyPC Pro Installer.exe
2012-08-17 05:17 - 2012-08-17 05:17 - 00001205 ____A C:\Users\Katerina\Downloads\FixNCR.reg
2012-08-17 05:04 - 2012-08-17 05:04 - 09817192 ____A (McAfee Inc.) C:\Users\Katerina\Downloads\stinger.exe
2012-08-17 05:04 - 2012-08-17 05:04 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 05:04 - 2012-08-17 05:03 - 10651816 ____A (Malwarebytes Corporation ) C:\Users\Katerina\Downloads\mbam-setup.exe
2012-08-17 05:03 - 2011-03-27 07:44 - 00091714 ____A C:\Windows\System32\perfc008.dat
2012-08-17 04:55 - 2011-03-27 06:49 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-16 23:49 - 2009-07-13 20:45 - 00422976 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 12:53 - 2012-08-16 12:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1B8B50754A1263DD
2012-08-16 12:49 - 2012-08-16 12:48 - 16476616 ____A (Microsoft Corporation) C:\Users\Katerina\Downloads\Windows-KB890830-V4.11.exe
2012-08-16 12:47 - 2012-08-16 12:47 - 00085527 ____A C:\Users\Katerina\Desktop\ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee.htm
2012-08-16 12:43 - 2011-03-27 06:48 - 01398868 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-16 12:41 - 2012-08-16 12:41 - 12621696 ____A (Microsoft Corporation) C:\Users\Katerina\Downloads\mseinstall.exe
2012-08-16 12:28 - 2012-04-12 23:54 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-16 12:28 - 2011-06-03 12:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-16 12:21 - 2012-08-16 12:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ggsemc_01009.Wdf
2012-08-16 12:21 - 2012-08-16 12:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ggflt_01009.Wdf
2012-08-16 12:14 - 2012-08-16 12:14 - 01721576 ____A (Microsoft Corporation) C:\Windows\System32\WdfCoInstaller01009.dll
2012-08-16 12:14 - 2012-08-16 12:14 - 00027760 ____A (Sony Ericsson Mobile Communications) C:\Windows\System32\Drivers\ggsemc.sys
2012-08-16 12:14 - 2012-08-16 12:14 - 00014448 ____A (Sony Ericsson Mobile Communications) C:\Windows\System32\Drivers\ggflt.sys
2012-08-16 12:13 - 2012-04-25 12:31 - 00002467 ____A C:\Users\Katerina\Desktop\Google Chrome.lnk
2012-08-16 12:11 - 2012-06-09 06:01 - 00177702 ____A C:\Windows\DPINST.LOG
2012-08-16 12:10 - 2012-06-09 06:00 - 00002026 ____A C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
2012-07-22 11:01 - 2012-07-22 11:01 - 106399901 ____N C:\Users\Katerina\Desktop\MOV_0010.mp4
2012-07-20 16:29 - 2012-04-25 12:30 - 00001154 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1411842853-294139791-1900781283-1000Core.job
2012-07-13 11:36 - 2012-07-13 11:36 - 00045270 ____A C:\Users\Katerina\Desktop\support-on-site-claim-complete.jsp.htm
2012-07-11 08:17 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-11 08:14 - 2011-03-27 07:31 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 22:35 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-03 02:46 - 2012-08-17 05:04 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-17 00:22 - 2012-06-17 00:22 - 02458198 ____A C:\Users\Katerina\Downloads\nkoutselinis.rar
2012-06-11 19:08 - 2012-07-11 08:18 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 14:09 - 2011-03-27 07:42 - 00028736 ____A C:\Windows\PFRO.log
2012-06-08 21:43 - 2012-07-11 08:09 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 08:09 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 08:09 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 08:09 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 08:09 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 08:09 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 08:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 08:09 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-03 09:52 - 2012-06-03 09:52 - 00001174 ____A C:\Users\Katerina\Desktop\PotPlayer.lnk
2012-06-02 14:19 - 2012-06-23 07:22 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 07:22 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 07:22 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 07:21 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 07:21 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-23 07:22 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-23 07:21 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 04:49 - 2012-07-11 08:12 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:19 - 2012-06-23 07:21 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 04:17 - 2012-07-11 08:12 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:15 - 2012-06-23 07:21 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:12 - 2012-07-11 08:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 08:12 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 08:12 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 08:12 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 08:12 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 08:12 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 08:12 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 08:12 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 08:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 08:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 08:12 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 08:12 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 08:12 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 08:12 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 08:12 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 08:12 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 08:12 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 08:12 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 08:12 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 08:12 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 08:12 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 08:12 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 08:12 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 08:12 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 08:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 08:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-11 08:09 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 08:09 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 08:09 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 08:09 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 08:09 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 08:09 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 08:09 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 08:09 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 08:09 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-20 05:44 - 2012-05-20 05:42 - 00000375 ____A C:\Users\Katerina\Katerina.lnk
2012-05-20 05:42 - 2012-05-20 05:42 - 01437119 ____A C:\Users\Katerina\metamorph_carousel.zip


ZeroAccess:
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0}
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\@
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\L
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\U

ZeroAccess:
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0}
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\@
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\L
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe FCB084FA3DCB7449F3BAA13312A215B4 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4063.04 MB
Available physical RAM: 3462.23 MB
Total Pagefile: 4061.19 MB
Available Pagefile: 3457 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:234.28 GB) (Free:61.64 GB) NTFS
2 Drive e: (Secondary) (Fixed) (Total:63.71 GB) (Free:54.21 GB) NTFS
4 Drive g: (MSIHQ) (Removable) (Total:0.93 GB) (Free:0.91 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 956 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 234 GB 101 MB
Partition 3 Primary 63 GB 234 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 234 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Secondary NTFS Partition 63 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 955 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G MSIHQ FAT32 Removable 955 MB Healthy

==================================================================================

Last Boot: 2012-07-18 14:20

======================= End Of Log ==========================

 

[tavliban]

sorry I was in a hurry before ...here is the correct output!

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-17 22:58:19
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-08-17 07:36] - 0328704 ____A (Microsoft Corporation) FCB084FA3DCB7449F3BAA13312A215B4

====== End Of Search ======

 

[Jay Pfoutz]

That's okay. Let's do the fixes...

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0}
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[tavliban]

Hello! this was the output

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 13:37:09 Run:1
Running from G:\

==============================================

C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP moved successfully.
C:\Windows\Installer\{fa6c4469-9725-ae8b-a121-e1d3466247a0} moved successfully.
C:\Users\Katerina\AppData\Local\{fa6c4469-9725-ae8b-a121-e1d3466247a0} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

system rebooted OK...just to verify that the problem still exists I went to windows update and verified that I cannot still update. No messages to reboot appeared.

 

[Jay Pfoutz]

We'll fix the update issue. Remind me later after disinfection, please.

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[tavliban]

downloaded combofix at a different folder, then renamed it to svchost.exe, copied to desktop, then executed program.

This was the output..

ComboFix 12-08-17.03 - Katerina 18/08/2012 16:46:06.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1253.30.1033.18.4063.2782 [GMT 3:00]
Running from: c:\users\Katerina\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\muzapp.exe
c:\windows\WinRAR
c:\windows\WinRAR\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 14:00 . 2012-08-18 14:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-18 01:33 . 2012-08-18 01:33 -------- d-----w- C:\FRST
2012-08-17 13:21 . 2012-08-17 13:21 -------- d-----w- c:\program files\Enigma Software Group
2012-08-17 13:20 . 2012-08-17 13:20 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-08-17 13:19 . 2012-08-17 13:19 -------- d-----w- c:\users\Katerina\AppData\Roaming\SpeedyPC Software
2012-08-17 13:19 . 2012-08-17 13:19 -------- d-----w- c:\users\Katerina\AppData\Roaming\DriverCure
2012-08-17 13:18 . 2012-08-17 13:47 -------- d-----w- c:\programdata\SpeedyPC Software
2012-08-17 13:05 . 2012-08-17 13:05 -------- d-----w- c:\users\Katerina\AppData\Roaming\Malwarebytes
2012-08-17 13:04 . 2012-08-17 13:04 -------- d-----w- c:\programdata\Malwarebytes
2012-08-17 13:04 . 2012-08-17 13:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-17 13:04 . 2012-07-03 10:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-17 11:35 . 2012-08-17 11:40 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-17 08:01 . 2012-08-17 13:19 -------- d-----w- c:\program files (x86)\stinger
2012-08-16 20:53 . 2012-08-16 20:53 328704 ----a-w- c:\windows\system32\services.exe.1B8B50754A1263DD
2012-08-16 20:48 . 2012-08-18 14:01 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A1D646A-ACF2-4AF2-A5A4-969D6A3E7D14}\offreg.dll
2012-08-16 20:48 . 2012-02-09 11:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-16 20:48 . 2012-02-09 11:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D30783F5-F16B-43C5-AB72-59EFB04A41EE}\gapaengine.dll
2012-08-16 20:47 . 2012-07-15 23:40 9133488 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A1D646A-ACF2-4AF2-A5A4-969D6A3E7D14}\mpengine.dll
2012-08-16 20:43 . 2012-08-17 12:55 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-16 20:43 . 2012-08-17 12:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-16 20:14 . 2012-08-16 20:14 27760 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2012-08-16 20:14 . 2012-08-16 20:14 1721576 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-08-16 20:14 . 2012-08-16 20:14 14448 ----a-w- c:\windows\system32\drivers\ggflt.sys
2012-08-16 20:13 . 2012-08-16 20:13 -------- d-----w- c:\programdata\Sony Ericsson
2012-08-16 20:13 . 2012-08-16 20:13 -------- d-----w- c:\program files (x86)\Sony Ericsson
2012-07-31 20:28 . 2012-08-16 20:06 -------- d-----w- c:\programdata\0C1CFAEFE02ABDAFAE35B2CFF875EF60
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files (x86)\Mozilla Firefox\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 20:28 . 2012-04-13 07:54 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-16 20:28 . 2011-06-03 20:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 16:14 . 2011-03-27 15:31 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-12 03:08 . 2012-07-11 16:18 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-11 16:09 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 16:09 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 16:09 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 16:09 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 16:09 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 16:09 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 16:09 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-23 15:21 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 15:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 15:22 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 15:22 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 15:21 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 15:22 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 15:21 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 12:49 . 2012-07-11 16:12 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:19 . 2012-06-23 15:21 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 12:17 . 2012-07-11 16:12 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:15 . 2012-06-23 15:21 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:12 . 2012-07-11 16:12 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-11 16:12 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-11 16:12 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-11 16:12 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-11 16:12 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-11 16:12 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-11 16:12 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-11 16:12 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-11 16:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-11 16:12 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-11 16:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-11 16:12 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-11 16:12 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-11 16:12 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-11 16:12 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 16:12 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 16:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:50 . 2012-07-11 16:09 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 16:09 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:48 . 2012-07-11 16:09 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:45 . 2012-07-11 16:09 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 16:09 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 16:09 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 16:09 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 16:09 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 16:09 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"Sony PC Companion"="c:\program files (x86)\Sony\Sony PC Companion\PCCompanion.exe" [2012-05-31 445624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2010-04-02 75048]
"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-16 250056]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2012-08-16 14448]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-30 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Sony PC Companion;Sony PC Companion;c:\program files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-01-18 155320]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-13 1255736]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-04-22 283200]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/27 18:53];c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-04-02 06:11 146928]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-17 203264]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 54824]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2008-06-15 11392]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 20:28]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1411842853-294139791-1900781283-1000Core.job
- c:\users\Katerina\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 20:30]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1411842853-294139791-1900781283-1000UA.job
- c:\users\Katerina\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-25 20:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Katerina\AppData\Roaming\Mozilla\Firefox\Profiles\oqlclfey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.gr/ig?hl=el
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-WinRAR - c:\windows\WinRAR\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe
.
**************************************************************************
.
Completion time: 2012-08-18 17:09:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 14:09
.
Pre-Run: 66.004.877.312 bytes free
Post-Run: 65.315.463.168 bytes free
.
- - End Of File - - AD4182CBFECE66CC11259568ECD770C2

hope it was done correctly

 

[Jay Pfoutz]

Cool!

Scan for malware

Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Copy and paste the entire report in your next reply.

 

[tavliban]

Hello man! Thanks for the help...I really appreciate it...

I have already installed the free version of Malwarebytes anti-malware (as said in the first post). Do you want me to uninstall and then re-install? (just to clarify)

 

[Jay Pfoutz]

You're welcome. But, no don't reinstall...unnecessary.

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

 

[tavliban]

this was the output... It did prompt me to restart

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.19.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Katerina :: KATERINA-PC [administrator]

19/8/2012 1:50:03 μμ
mbam-log-2012-08-19 (13-50-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201333
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Katerina\Downloads\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

the file that was quarantined and deleted was combofix.exe, at this folder I renamed the file to svchost.exe then copied to desktop. (just to inform you)

 

[Jay Pfoutz]

That's fine. Good job!

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran CCleaner
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[tavliban]

1. Restore point clean created. Then deleted old restore points succesfuly
2. OK. Rebooted computer. OTC was not on the desktop
3. Chose to delete all cookies just to be sure. 513M removed
4. Ran security check with the output below

Results of screen317's Security Check version 0.99.46
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java(TM) 6 Update 31
Java(TM) SE Development Kit 6 Update 24
Java version out of Date!
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.79
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


As for the pc I rebooted the pc after all actions. Windows update seems to be working not showing the previous message. (I think we are in a good pace here!)

Windows Firewall is ON (stated at security check and I saw firewall settings).

Security essentials is uninstalled (stated at first message).

I will not do anything until you tell me to do so...

Thanks!

 

[Jay Pfoutz]

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?

 

[tavliban]

So the pc is clean? Wooohooo...
Last thing, should I install miscrosoft windows security essentials first? or after I install Java?

In any case I must thank you very much. Format was not an option for this pc...

 

[Jay Pfoutz]

Either way should work!

Marked as solved. √