TechSpot

Sirefefr.r removal

By Keith C
Jul 25, 2012
  1. Vipre has identified the Sirefefr.r virus in c:\windows\system32\services.exe

    This file appears to have the same properties as a 'good' machine with Win7.

    Vipre, MalwareBytes Anti-Malware and Ad-aware have been unable to resolve this.

    How can I remove this from my machine?

    Thank you in advance.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Depending on what type of OS you have, please select 32-bit or 64-bit accordingly. If you don't know, then use 32-bit and we'll go from there.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply, along with the first FRST logfile.
     
  3. Keith C

    Keith C TS Rookie Topic Starter

    Thank you DragonMasterJay.

    The output from the FRST.txt file is:

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 25-07-2012 16:42:17
    Running from F:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [] [x]
    HKLM\...\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe [x]
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [8423968 2010-01-12] (Realtek Semiconductor)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
    HKLM\...\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide [699104 2007-05-17] ()
    HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
    HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install [1657448 2009-10-28] ()
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421160 2010-11-17] (Apple Inc.)
    HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
    HKLM\...\Run: [DLSService] "C:\Program Files\DYMO\DYMO Label Software\DLSService.exe" [55808 2009-09-29] (Sanford, L.P.)
    HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM\...\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [483328 2008-04-22] (Adobe Systems Inc.)
    HKLM\...\Run: [MSCRM] "c:\Program Files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" /activateaddin [58216 2011-04-28] (Microsoft Corporation)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1808784 2011-04-13] (Microsoft Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM\...\Run: [SBAMTray] "C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe" [1627504 2011-10-12] (GFI Software)
    HKLM\...\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run [x]
    HKLM\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [198032 2011-10-21] (Lavasoft)
    HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files\Ad-Aware Antivirus\SBRC.exe" [200560 2011-12-19] (GFI Software)
    HKU\KeithC\...\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup [1885944 2009-09-29] (Sanford, L.P.)
    HKU\KeithC\...\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcStd7_0_0 -reboot 1 [313472 2006-03-30] (Adobe Systems Incorporated)
    HKU\KeithC\...\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe" /bg [1769264 2009-10-28] (AceBIT GmbH)
    HKU\KeithC.DATASOUND\...\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe" /bg [1769264 2009-10-28] (AceBIT GmbH)
    HKU\KeithC.DATASOUND\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
    HKU\KeithC.DATASOUND\...\Run: [DymoQuickPrint] "C:\Program Files\DYMO\DYMO Label Software\DymoQuickPrint.exe" /startup [1885944 2009-09-29] (Sanford, L.P.)
    HKU\KeithC.DATASOUND\...\Run: [3CX MyPhone571142265.192.168.242.200] C:\Users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\3CX MyPhone.lnk [2347 2012-03-12] ()
    HKU\KevinK\...\Run: [Installation Diagnostics] "C:\Program Files\Brother\Brmfl04b\Brinstck.exe" /I MFC-5840CN LAN [x]
    HKU\KevinK\...\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" [718720 2011-07-21] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.242.2
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe ()
    Startup: C:\Users\KeithC.DATASOUND\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
    Startup: C:\Users\KevinK\Start Menu\Programs\Startup\Adobe Gamma.lnk
    ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (No File)

    ================================ Services (Whitelisted) ==================

    2 Ad-Aware Service; "C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe" [1239952 2012-07-12] (Lavasoft Limited)
    2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [87968 2009-11-17] (Andrea Electronics Corporation)
    2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
    2 clsbd; C:\Cadence\SPB_15.5.1\tools\bin\clsbd.exe [57419 2004-07-22] ()
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" [335872 2003-03-18] (Microsoft Corporation)
    4 msvsmon80; "C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2808664 2007-02-22] (Microsoft Corporation)
    2 NVIDIA Performance Driver Service; "C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" [5233256 2009-10-26] ()
    2 SBAMSvc; "C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe" [3289032 2011-12-19] (GFI Software)
    2 SBPIMSvc; "C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe" [181616 2011-10-12] (GFI Software)
    2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2008-09-08] (Viewpoint Corporation)
    2 JTAGServer; c:\altera\91sp2\quartus\bin\jtagserver.exe [x]
    2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
    4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x]
    2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
    2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

    ========================== Drivers (Whitelisted) =============

    2 AlteraByteBlaster; \??\C:\Windows\system32\drivers\pgdhdlc.sys [7680 2010-03-24] (Altera Corporation)
    2 altio; \??\C:\Program Files\Altium\AD 10\System\Drivers\altio.sys [3200 2012-07-24] (Altium Limited)
    3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd6.sys [44032 2009-07-13] (VIA Technologies, Inc. )
    3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57800 2009-10-22] (FTDI Ltd.)
    3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [72520 2009-10-22] (FTDI Ltd.)
    3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-05] (Broadcom Corporation)
    2 MCUSBICD2; C:\Windows\System32\Drivers\icd2w2k.sys [12427 2004-03-21] (Microchip Technology, Inc.)
    3 NETGEARUHOST; C:\Windows\System32\DRIVERS\NETGEARUHOST.sys [13824 2007-03-08] (SerComm)
    3 NETGEARUHUB; C:\Windows\System32\DRIVERS\NETGEARUHUB.sys [35840 2007-03-08] (SerComm)
    2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [77816 2011-11-28] (GFI Software)
    3 SBHIPS; C:\Windows\System32\drivers\sbhips.sys [93816 2011-12-19] (GFI Software)
    1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [101112 2011-10-26] (GFI Software)
    1 SbTis; C:\Windows\System32\drivers\sbtis.sys [78936 2011-09-09] (Sunbelt Software, Inc.)
    2 Sentinel; C:\Windows\System32\Drivers\SENTINEL.SYS [76288 2010-03-24] (Rainbow Technologies, Inc.)
    2 siserial; \??\C:\Windows\system32\drivers\siserial.sys [927328 2009-06-24] (Tactical Software, LLC)
    3 Sntnlusb; C:\Windows\System32\DRIVERS\SNTNLUSB.SYS [26120 2010-03-24] (Rainbow Technologies Inc.)
    3 SNXPCARD; C:\Windows\System32\DRIVERS\snxpcard.sys [41080 2010-02-01] (SUNIX Co., Ltd.)
    3 SNXPPALX; C:\Windows\System32\DRIVERS\snxppalx.sys [84984 2010-02-01] (SUNIX Co., Ltd.)
    3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [195904 2010-06-09] (Jungo)
    3 XJLINK; C:\Windows\System32\drivers\xjlink.sys [22088 2009-07-14] (XJTAG Ltd.)
    2 zntport; \??\C:\Windows\system32\drivers\zntport.sys [12344 2007-12-22] (Zeal SoftStudio)
    3 LinkMD; \??\UNC\Dsl1\dsl library\DataSheets\Micrel\KSZ8841-pmql\KSZ88XX Software Package 20080707\M16C Software\Demo Program\LinkMD GUI Demo\LinkMD.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-07-25 16:41 - 2012-07-25 16:42 - 00000000 ____D C:\FRST
    2012-07-25 07:23 - 2012-07-25 07:25 - 00014101 ____A C:\Users\KeithC.DATASOUND\Desktop\1238-000 rev 10.csv
    2012-07-25 04:17 - 2012-07-25 04:17 - 00000104 ____A C:\Windows\System32\SBRC.dat
    2012-07-25 02:19 - 2012-07-25 02:19 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Lavasoft
    2012-07-25 02:19 - 2012-07-25 02:09 - 00000000 ____A C:\Users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
    2012-07-25 02:09 - 2012-07-25 03:28 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
    2012-07-25 02:09 - 2012-07-25 03:28 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
    2012-07-25 02:09 - 2012-07-25 02:17 - 00000000 ____D C:\Program Files\Ad-Aware Antivirus
    2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Windows\System32\Drivers\VDD
    2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Local\adaware
    2012-07-25 02:09 - 2012-07-25 02:09 - 00000000 ____D C:\Users\All Users\Lavasoft
    2012-07-25 02:09 - 2011-12-19 03:44 - 00093816 ____A (GFI Software) C:\Windows\System32\Drivers\sbhips.sys
    2012-07-25 02:07 - 2012-07-25 02:34 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Ad-Aware Antivirus
    2012-07-25 01:33 - 2012-07-25 01:33 - 00000000 ____D C:\Users\KeithC.DATASOUND\AppData\Roaming\Malwarebytes
    2012-07-25 01:32 - 2012-07-25 01:32 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-25 01:32 - 2012-07-25 01:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-07-25 01:32 - 2012-07-25 01:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-07-25 01:32 - 2012-07-03 04:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-23 05:29 - 2012-07-23 05:29 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-19 01:44 - 2012-07-19 08:29 - 00262144 ____A C:\Users\KeithC.DATASOUND\Desktop\SXDIAPP.rom
    2012-07-18 23:51 - 2012-02-14 00:38 - 00000323 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS Update Instruction.txt
    2012-07-18 23:51 - 2011-08-05 09:10 - 00069808 ____A C:\Users\KeithC.DATASOUND\Desktop\SPIFLASH.EXE
    2012-07-18 23:50 - 2012-07-19 01:44 - 00240935 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS.rar
    2012-07-17 02:58 - 2012-07-17 03:03 - 00009509 ____A C:\Users\KeithC.DATASOUND\Desktop\1248-000.csv
    2012-07-17 02:58 - 2012-07-17 03:00 - 00000450 ____A C:\Users\KeithC.DATASOUND\Desktop\600-1248-000.csv
    2012-07-13 18:06 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-13 18:06 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-13 18:06 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-13 18:06 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-13 18:06 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-13 18:06 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-13 18:06 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-13 18:06 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-13 18:06 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-13 18:06 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-13 18:06 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-13 18:06 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-13 18:06 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-13 18:06 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-13 18:02 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-13 00:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-13 00:17 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-13 00:17 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-13 00:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-13 00:17 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-13 00:17 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-13 00:17 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-13 00:17 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-13 00:17 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-13 00:17 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-13 00:17 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-13 00:17 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-13 00:17 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-11 04:56 - 2012-07-11 04:56 - 00000000 ____D C:\Users\KeithC.DATASOUND\Desktop\MRVFiles
    2012-07-11 04:38 - 2012-07-11 04:39 - 00000000 ____D C:\Users\KeithC.DATASOUND\Desktop\Planer
    2012-07-10 04:25 - 2012-07-16 06:40 - 00014713 ____A C:\Users\KeithC.DATASOUND\Desktop\MRV.EXE
    2012-07-06 00:49 - 2012-07-06 00:50 - 00021504 __ASH C:\Users\KeithC.DATASOUND\Documents\Thumbs.db
    2012-06-28 02:16 - 2012-06-28 02:16 - 00047839 ____A C:\Users\KeithC.DATASOUND\Desktop\CaptouchPIC10FDemo.zip
    2012-06-28 01:59 - 2012-06-28 01:59 - 00512489 ____A C:\Users\KeithC.DATASOUND\Desktop\PCAPTechnologySource_v5.zip

    ============ 3 Months Modified Files ========================

    2012-07-25 07:37 - 2010-06-16 04:51 - 00000250 __ASH C:\Users\KeithC.DATASOUND\ntuser.ini
    2012-07-25 07:25 - 2012-07-25 07:23 - 00014101 ____A C:\Users\KeithC.DATASOUND\Desktop\1238-000 rev 10.csv
    2012-07-25 06:56 - 2011-01-04 08:11 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-07-25 06:56 - 2011-01-04 08:11 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-07-25 06:53 - 2010-06-16 04:49 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl
    2012-07-25 06:52 - 2012-04-16 02:01 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-25 04:17 - 2012-07-25 04:17 - 00000104 ____A C:\Windows\System32\SBRC.dat
    2012-07-25 03:34 - 2009-07-13 20:34 - 00015296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-07-25 03:34 - 2009-07-13 20:34 - 00015296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-07-25 03:30 - 2010-06-16 03:47 - 00940404 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-07-25 03:28 - 2012-07-25 02:09 - 00001868 ____A C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
    2012-07-25 03:25 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-07-25 03:25 - 2009-07-13 20:39 - 00037453 ____A C:\Windows\setupact.log
    2012-07-25 03:12 - 2010-06-16 04:08 - 00031264 ____A C:\Windows\PFRO.log
    2012-07-25 02:09 - 2012-07-25 02:19 - 00000000 ____A C:\Users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
    2012-07-25 01:32 - 2012-07-25 01:32 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-07-24 05:57 - 2010-06-30 00:07 - 00002733 ____A C:\Windows\AdvSch99SE.dft
    2012-07-24 05:57 - 2010-06-18 06:38 - 00281275 ____A C:\Windows\CLIENT99SE.rcs
    2012-07-24 05:57 - 2010-06-18 06:38 - 00008924 ____A C:\Windows\CLIENT99SE.raf
    2012-07-24 05:57 - 2010-06-18 06:38 - 00002994 ____A C:\Windows\CLIENT99SE.ndr
    2012-07-24 05:57 - 2010-06-16 06:43 - 00296960 ____A C:\Windows\Client99SE.cfg
    2012-07-24 05:57 - 2010-06-16 06:43 - 00010161 ____A C:\Windows\Client99SE.INI
    2012-07-24 05:57 - 2010-06-16 06:43 - 00003656 ____A C:\Windows\AdvSch99SE.ini
    2012-07-24 05:38 - 2010-06-18 06:27 - 00000705 ____A C:\Windows\ProHelp99SE.INI
    2012-07-23 05:23 - 2010-06-16 03:45 - 01310082 ____A C:\Windows\WindowsUpdate.log
    2012-07-23 04:50 - 2010-06-18 06:38 - 00281275 ____A C:\Windows\CLIENT99SE.~cs
    2012-07-23 04:50 - 2010-06-18 06:38 - 00008924 ____A C:\Windows\CLIENT99SE.~af
    2012-07-19 08:29 - 2012-07-19 01:44 - 00262144 ____A C:\Users\KeithC.DATASOUND\Desktop\SXDIAPP.rom
    2012-07-19 01:44 - 2012-07-18 23:50 - 00240935 ____A C:\Users\KeithC.DATASOUND\Desktop\BIOS.rar
    2012-07-18 02:01 - 2010-06-17 00:32 - 00001223 ____A C:\Users\KeithC.DATASOUND\quartus2.ini
    2012-07-17 03:03 - 2012-07-17 02:58 - 00009509 ____A C:\Users\KeithC.DATASOUND\Desktop\1248-000.csv
    2012-07-17 03:00 - 2012-07-17 02:58 - 00000450 ____A C:\Users\KeithC.DATASOUND\Desktop\600-1248-000.csv
    2012-07-16 06:40 - 2012-07-10 04:25 - 00014713 ____A C:\Users\KeithC.DATASOUND\Desktop\MRV.EXE
    2012-07-16 02:03 - 2009-07-13 20:53 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-16 02:03 - 2009-07-13 20:33 - 00414808 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-13 18:03 - 2010-06-16 04:59 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-12 05:52 - 2012-04-16 02:01 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-12 05:52 - 2011-06-08 03:26 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-06 00:50 - 2012-07-06 00:49 - 00021504 __ASH C:\Users\KeithC.DATASOUND\Documents\Thumbs.db
    2012-07-03 04:46 - 2012-07-25 01:32 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-28 02:16 - 2012-06-28 02:16 - 00047839 ____A C:\Users\KeithC.DATASOUND\Desktop\CaptouchPIC10FDemo.zip
    2012-06-28 01:59 - 2012-06-28 01:59 - 00512489 ____A C:\Users\KeithC.DATASOUND\Desktop\PCAPTechnologySource_v5.zip
    2012-06-27 06:15 - 2010-07-06 08:01 - 00001014 ____A C:\Windows\TextEdit99SE.INI
    2012-06-27 06:15 - 2010-06-18 06:38 - 00007823 ____A C:\Windows\ADVPCB99SE.INI
    2012-06-21 05:17 - 2010-06-16 04:51 - 00006314 _RASH C:\Users\KeithC.DATASOUND\ntuser.pol
    2012-06-21 01:43 - 2012-05-03 00:23 - 00002092 ____A C:\Users\KeithC.DATASOUND\Desktop\Awaiting lib check.lnk
    2012-06-20 07:08 - 2012-06-20 05:19 - 00009664 ____A C:\Users\KeithC.DATASOUND\Desktop\va.xlsx
    2012-06-20 05:19 - 2012-06-20 05:19 - 00009394 ____A C:\Users\KeithC.DATASOUND\Documents\va.xlsx
    2012-06-11 18:40 - 2012-07-13 18:02 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 20:41 - 2012-07-13 00:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-07 07:53 - 2012-06-03 05:22 - 00002630 ____A C:\Users\KeithC.DATASOUND\Desktop\SF100.Bom
    2012-06-05 21:05 - 2012-07-13 00:17 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 21:05 - 2012-07-13 00:17 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 21:03 - 2012-07-13 00:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-02 14:19 - 2012-06-16 19:08 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-16 19:08 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-16 19:08 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-16 19:08 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-16 19:08 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-16 19:08 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-16 19:08 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 06:19 - 2012-06-16 19:08 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 06:12 - 2012-06-16 19:08 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-13 18:06 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-13 18:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-13 18:06 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-13 18:06 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-13 18:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-13 18:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-13 18:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-13 18:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-13 18:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-13 18:06 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-13 18:06 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-13 18:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-13 18:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-13 18:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 20:45 - 2012-07-13 00:17 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-01 20:45 - 2012-07-13 00:17 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-01 20:40 - 2012-07-13 00:17 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-01 20:40 - 2012-07-13 00:17 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 20:39 - 2012-07-13 00:17 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-04-27 19:17 - 2012-06-15 00:56 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


    ZeroAccess:
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\n
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L\00000004.@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L\201d3dde
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\00000004.@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\00000008.@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\000000cb.@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\80000000.@
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U\80000032.@

    ZeroAccess:
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\@
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\L
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\n
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 3031.11 MB
    Available physical RAM: 2489.48 MB
    Total Pagefile: 3029.39 MB
    Available Pagefile: 2493.83 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1952.7 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:232 GB) (Free:89.03 GB) NTFS
    2 Drive e: (Jul 25 2012) (CDROM) (Total:0.01 GB) (Free:0 GB) UDF
    3 Drive f: (KINGSTON) (Removable) (Total:3.73 GB) (Free:3.24 GB) FAT32
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 232 GB 0 B
    Disk 1 Online 3826 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 94 MB 31 KB
    Partition 2 Primary 750 MB 95 MB
    Partition 3 Primary 232 GB 845 MB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 FAT Partition 94 MB Healthy Hidden

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y RECOVERY NTFS Partition 750 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 232 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3822 MB 4032 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F KINGSTON FAT32 Removable 3822 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 15:00

    ======================= End Of Log ==========================
     
  4. Keith C

    Keith C TS Rookie Topic Starter

    The output from the search.txt file is:

    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-25 16:44:49
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    C:\WINCE600\OSDesigns\Webserver\Webserver\Wince600\DSL_Vortex86_x86\cesysgen\oak\target\x86\retail\services.exe
    [2011-02-08 08:37] - [2011-02-08 08:37] - 0008704 ____A () 52BE681074D0B55A1567FED6E0D0A645

    C:\WINCE600\OSDesigns\Webserver\Webserver\Wince600\DSL_Vortex86_x86\cesysgen\oak\target\x86\debug\services.exe
    [2011-02-08 08:14] - [2011-02-08 08:14] - 0011264 ____A () 187F61F0CDB895E4E9A73CF93C2E570A

    C:\WINCE600\OSDesigns\Webserver\Webserver\RelDir\DSL_Vortex86_x86_Release\services.exe
    [2011-02-08 08:37] - [2011-02-08 09:09] - 0008704 ____A () FF55978A1643521A20BE073694892CF8

    C:\WINCE600\OSDesigns\Webserver\Webserver\RelDir\DSL_Vortex86_x86_Debug\services.exe
    [2011-02-08 08:14] - [2011-02-08 08:27] - 0011264 ____A () 8AF5E67249FCA7F2DBD4CBA11B2E992F

    C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\Wince600\Vortex86DX_60B_x86\cesysgen\oak\target\x86\retail\services.exe
    [2011-02-04 08:36] - [2011-02-04 08:36] - 0008704 ___RA () C9749108DB061E7C66265735F4DA04B9

    C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\RelDir\Vortex86DX_60B_x86_Release\services.exe
    [2011-02-04 08:36] - [2011-02-07 03:46] - 0008704 ___RA () 4258B5E068BB4DFCB0763F88B560BEAA

    C:\WINCE600\OSDesigns\ShopAlert\ShopAlert\RelDir\Vortex86DX_60B_x86_Debug\services.exe
    [2011-02-04 02:44] - [2011-02-04 03:00] - 0011264 ___RA () 2157F1A8B87D4B46F85433B93AAA09A8

    C:\WINCE600\OSDesigns\OSDesign1\Wince600\eBox-3300MX_x86\cesysgen\oak\target\x86\retail\services.exe
    [2011-10-13 01:55] - [2011-10-13 01:55] - 0008704 ____A () BB223949758613D4D863B7820E78C200

    C:\WINCE600\OSDesigns\OSDesign1\RelDir\eBox-3300MX_x86_Release\services.exe
    [2011-10-13 01:55] - [2011-10-18 01:13] - 0008704 ____A () 3C65A3E65C61EDAF264FB57C306F25B0

    C:\WINCE600\OSDesigns\iMX51-EVK-PDK1_7-Mobility\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\debug\services.exe
    [2011-02-25 04:10] - [2011-02-25 04:10] - 0015360 ____A () DDC5AAC490C333C8F67A6BAF33A266E1

    C:\WINCE600\OSDesigns\EBox-3300MX\EBOX-3300MX\EBOX-3300MX\Wince600\eBox-3300MX_x86\cesysgen\oak\target\x86\debug\services.exe
    [2011-10-17 02:14] - [2011-10-17 02:14] - 0011264 ____A () 5FCD1D2D389642E661B34E6162F0D6D7

    C:\WINCE600\OSDesigns\EBox-3300MX\EBOX-3300MX\EBOX-3300MX\RelDir\eBox-3300MX_x86_Debug\services.exe
    [2011-10-17 02:14] - [2011-10-17 02:29] - 0011264 ____A () 143C315FE01A237C0A9D77ECAF12A7D2

    C:\WINCE600\OSDesigns\Centurion\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\retail\services.exe
    [2011-02-25 04:44] - [2010-12-10 07:44] - 0011264 ____A () 66C4F1B474CD5C8844519A08E3DCBA9D

    C:\WINCE600\OSDesigns\Centurion\RelDir\Freescale_i_MX51_EVK_ARMV4I_Release\services.exe
    [2011-02-25 04:44] - [2011-02-25 06:54] - 0011264 ____A () 3DEB06389470E14B4DE551D6A35FFCD1

    C:\Wince Backup\Centurion\Wince600\iMX51-EVK-PDK1_7_ARMV4I\cesysgen\oak\target\ARMV4I\retail\services.exe
    [2011-02-03 06:14] - [2010-12-10 07:44] - 0011264 ____A () 66C4F1B474CD5C8844519A08E3DCBA9D

    C:\Wince Backup\Centurion\RelDir\Freescale_i_MX51_EVK_ARMV4I_Release\services.exe
    [2011-02-03 06:12] - [2010-12-10 08:40] - 0011264 ____A () 3DEB06389470E14B4DE551D6A35FFCD1

    === End Of Search ===
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  6. Keith C

    Keith C TS Rookie Topic Starter

    DragonMasterJay,

    The machine has rebooted fine after running this.

    The fixlog.txt output is:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-07-26 09:06:56 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\Installer\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8} moved successfully.
    C:\Users\KeithC.DATASOUND\AppData\Local\{1d80c6f9-0959-ccc3-5793-5a1c687f9de8} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    I am impressed that you are willing to give up your time to help work toward resolving this. Thank you very much.
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome! I'm only glad to help. :)

    Please run the following tool:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  8. Keith C

    Keith C TS Rookie Topic Starter

    Output from ComboFix:

    ComboFix 12-07-27.01 - keithc 26/07/2012 12:40:35.1.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3031.1812 [GMT 1:00]
    Running from: c:\users\KeithC.DATASOUND\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Aware *Disabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
    FW: Lavasoft Ad-Aware *Disabled* {7C60C9E6-45CB-6A4E-A458-CC330DD69F7B}
    SP: Lavasoft Ad-Aware *Disabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\users\KeithC.DATASOUND\AppData\Local\assembly\tmp
    c:\users\KeithC.DATASOUND\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9560D711-0A7F-4C35-80C8-200C898D6816}.xps
    c:\users\KeithC.DATASOUND\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A9596BDD-A96F-44B5-BCC0-B1D7D56F9C2E}.xps
    c:\users\KeithC.DATASOUND\AppData\Roaming\adaware-installer-reboot-required.tmp
    c:\users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Cookies\WOWCTF3V.txt
    c:\users\KevinK\Documents\$AP2D8.tmp
    c:\users\KevinK\Documents\$AP2DD.tmp
    c:\users\KevinK\Documents\$AP2E1.tmp
    c:\users\KevinK\Documents\$AP2E5.tmp
    c:\users\KevinK\Documents\$AP2E9.tmp
    c:\users\KevinK\Documents\$AP45.tmp
    c:\users\KevinK\Documents\$AP49.tmp
    c:\users\KevinK\Documents\$AP4A.tmp
    c:\users\KevinK\Documents\$AP5A.tmp
    c:\users\KevinK\Documents\$AP5F.tmp
    c:\users\KevinK\Documents\$AP63.tmp
    c:\users\KevinK\Documents\$AP6B.tmp
    c:\users\KevinK\Documents\$AP6F.tmp
    c:\users\KevinK\Documents\$AP74.tmp
    c:\users\KevinK\Documents\$AP78.tmp
    c:\users\KevinK\Documents\$AP79.tmp
    c:\users\KevinK\Documents\$AP7D.tmp
    c:\users\KevinK\Documents\$AP7E.tmp
    c:\users\KevinK\Documents\$AP81.tmp
    c:\users\KevinK\Documents\$AP83.tmp
    c:\users\KevinK\Documents\$AP8B.tmp
    c:\users\KevinK\Documents\$AP8F.tmp
    c:\users\KevinK\Documents\$AP91.tmp
    c:\windows\system32\Temp
    c:\windows\system32\Temp\3rdparty\Tencent\Catalog\Tencent.PbcXml
    c:\windows\system32\Temp\3rdparty\Tencent\files\chatStateIcon.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\init_logo.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\left_arrow_black.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\left_arrow_blue.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\QQ.exe
    c:\windows\system32\Temp\3rdparty\Tencent\files\qq.llk
    c:\windows\system32\Temp\3rdparty\Tencent\files\right_arrow_black.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\right_arrow_blue.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\SelfDefault.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Black.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Black2.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Blue.png
    c:\windows\system32\Temp\3rdparty\Tencent\files\SendButton_Blue2.png
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\KevinK\AppData\Local\temp
    2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\KeithC\AppData\Local\temp
    2012-07-26 11:51 . 2012-07-26 11:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-26 00:41 . 2012-07-26 00:42 -------- d-----w- C:\FRST
    2012-07-25 10:19 . 2012-07-25 10:19 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Lavasoft
    2012-07-25 10:09 . 2012-07-26 11:55 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Local\adaware
    2012-07-25 10:09 . 2011-12-19 11:44 93816 ----a-w- c:\windows\system32\drivers\sbhips.sys
    2012-07-25 10:09 . 2012-07-25 10:17 -------- d-----w- c:\program files\Ad-Aware Antivirus
    2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\windows\system32\drivers\VDD
    2012-07-25 10:09 . 2012-07-25 10:09 -------- d-----w- c:\programdata\Lavasoft
    2012-07-25 10:07 . 2012-07-25 10:34 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Ad-Aware Antivirus
    2012-07-25 09:33 . 2012-07-25 09:33 -------- d-----w- c:\users\KeithC.DATASOUND\AppData\Roaming\Malwarebytes
    2012-07-25 09:32 . 2012-07-25 09:32 -------- d-----w- c:\programdata\Malwarebytes
    2012-07-25 09:32 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-07-25 09:32 . 2012-07-25 09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-23 13:29 . 2012-07-23 13:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-14 02:02 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 13:52 . 2012-04-16 10:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-12 13:52 . 2011-06-08 11:26 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-17 03:08 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-17 03:08 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-17 03:08 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-17 03:08 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-17 03:08 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-17 03:08 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-17 03:08 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-17 03:08 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 14:12 . 2012-06-17 03:08 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-26 17:47 . 2012-05-26 17:47 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
    2012-04-28 03:17 . 2012-06-15 08:56 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2011-06-13 09:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WISE-FTP Task Planner"="c:\program files\AceBIT\WISE-FTP 6\wf_tp.exe" [2009-10-28 1769264]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-21 718720]
    "DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2009-09-29 1885944]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-12 8423968]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-17 699104]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-24 140520]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-10-28 1657448]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-03 284696]
    "DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2009-09-29 55808]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "MSCRM"="c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" [2011-04-28 58216]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2011-10-12 1627504]
    "Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    .
    c:\users\KeithC.DATASOUND\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2010-6-16 25214]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3704106032-1294615849-3918947052-1140\Scripts\Logon\0\0]
    "Script"=Script.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3704106032-1294615849-3918947052-1140\Scripts\Logon\1\0]
    "Script"=logon.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
    @="Ad-Aware Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);c:\windows\system32\Drivers\icd2w2k.sys [x]
    R2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R3 LinkMD;Micrel Diagnostics;UNC\Dsl1\dsl library\DataSheets\Micrel\KSZ8841-pmql\KSZ88XX Software Package 20080707\M16C Software\Demo Program\LinkMD GUI Demo\LinkMD.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
    R3 SBHIPS;SBHIPS;c:\windows\system32\drivers\sbhips.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 XJLINK;XJLINK Driver;c:\windows\system32\drivers\xjlink.sys [x]
    R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [x]
    S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
    S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]
    S2 altio;altio;c:\program files\Altium\AD 10\System\Drivers\altio.sys [x]
    S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [x]
    S2 clsbd;CDS Boolean Daemon;c:\cadence\SPB_15.5.1\tools\bin\clsbd.exe [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [x]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [x]
    S2 siserial;Serial/IP Serial Driver;c:\windows\system32\drivers\siserial.sys [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
    S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [x]
    S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [x]
    S3 SNXPCARD;SUNIX Multi-I/O Card Driver;c:\windows\system32\DRIVERS\snxpcard.sys [x]
    S3 SNXPPALX;SUNIX Parallel Port Driver;c:\windows\system32\DRIVERS\snxppalx.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    GPSvcGroup REG_MULTI_SZ GPSvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 13:52]
    .
    2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 16:11]
    .
    2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 16:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: crm-server
    Trusted Zone: dsl3
    TCP: DhcpNameServer = 192.168.242.2
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-Altium Designer Release 10 {61CAD434-55E4-42A0-8184-D6A29DAC3FB5} - c:\program files\Altium\AD 10\System\Installation\uninstall.bat
    AddRemove-4150337710.192.168.0.200 - c:\program files\Microsoft Silverlight\4.0.60531.0\Silverlight.Configuration.exe
    AddRemove-571142265.192.168.242.200 - c:\program files\Microsoft Silverlight\4.1.10111.0\Silverlight.Configuration.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5564)
    c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
    c:\program files\Stardock\Fences\FencesMenu.dll
    c:\program files\stardock\fences\DesktopDock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\altera\91sp2\quartus\bin\jtagserver.exe
    c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-26 13:01:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-26 12:01
    .
    Pre-Run: 98,419,130,368 bytes free
    Post-Run: 103,766,167,552 bytes free
    .
    - - End Of File - - C44BD09DDA358E48A6B5238492212A3E
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  10. Keith C

    Keith C TS Rookie Topic Starter

    I have run ESET Online Scanner and it found 5 infected files.

    Unfortunately don't have the c:\program files\EsetOnlineScanner directory.
    Do have c:\program files\ESET\EsetOnlineScanner, but there is no log.txt there, just the ActiveX and uninstaller.

    I have searched the entire C:\ drive and there is no log.txt created today.
     
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
  12. Keith C

    Keith C TS Rookie Topic Starter

    I ran a second ESET scan and this found nothing more.

    I have re-installed Vipre and will do a full scan later.

    The machine seems to be running OK, a the moment.

    Thank you very much.
    You definitely deserve great Kudos for your effort.
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    If you reinstalled Vipre, make sure to remove AdAware or at least disable it.

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Please download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  14. Keith C

    Keith C TS Rookie Topic Starter

    AdAware has been uninstalled.
    System restore has been cleaned.
    OTC ran OK, but I needed to manually delete the OTC.exe from the desktop following the reboot.
    TFC ran OK.

    The output from Security check is:
    Results of screen317's Security Check version 0.99.43
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 4 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    GFI Software VIPRE
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Java(TM) 6 Update 29
    Java version out of Date!
    ````````Process Check: objlist.exe by Laurent````````
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````

    The computer seems to be running OK.
     
  15. Keith C

    Keith C TS Rookie Topic Starter

    IE is actually IE9 and all updates are applied, as far as I am aware, with last MS updates installed on 14th July.

    I have updated Java to Version 7 Update 5
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Make sure to remove Java(TM) 6 Update 29 from your Programs list by uninstalling it. If you don't remove old versions, they can be exploited by hackers.

    Go to the Control Panel and enter Programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Read more about Java exploit problems

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
  17. Keith C

    Keith C TS Rookie Topic Starter

    I have uninstalled the old version of Java.

    Please mark this topic solved, and accept my thanks again.
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    You're welcome. Marked solved. :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...