TechSpot

Trojan sireref.r and sireref.ah

By Alicia Foster
Aug 11, 2012
  1. Hi all!

    I am seeking some help for removing sireref.r and sireref.ah off of my Vista 32bit computer.
    MSE detected these two viruses and can't get rid of them. Currently the computer is continually rebooting itself after a 60second window pops up stating a critical issue was found. I also have it in safe mode with networking currently.

    Would be greatly appreciated for any help.

    Thanks!
     
  2. Alicia Foster

    Alicia Foster TS Rookie Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.11.04

    Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Foster :: FOSTER-PC [administrator]

    Protection: Disabled

    8/11/2012 6:36:30 PM
    mbam-log-2012-08-11 (18-36-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 39298
    Time elapsed: 1 minute(s), 31 second(s) [aborted]

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 22
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
    HKCR\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\Interface\{00B77587-BE1B-4201-B8E9-09FCF50AB771} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\HostIE.Bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\HostIE.Bho (Adware.Zango) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\CLSID\{93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\HBMain.CommBand.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\HBMain.CommBand (Adware.Zango) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C} (Adware.Zango) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\CLSID\{EA0B6A1A-6A59-4A58-9C41-9966504898A5} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\hbr.HbMain.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKCR\hbr.HbMain (Adware.Zango) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09F1ADAC-76D8-4D0F-99A5-5C907DADB988} (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E5B2693-D348-4CA7-8364-4F5E51BF9C6D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Data: :(ª×C¾L d2¢ÙM -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07AA283A-43D7-4CBE-A064-32A21112D94D} (Adware.Zango) -> Data: -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  3. Alicia Foster

    Alicia Foster TS Rookie Topic Starter

    I can't get a full scan because of the system reboot its doing continually. I get about 2 mins worth of scan in and then it stops and reboots. Arrrghhh!
     
  4. Alicia Foster

    Alicia Foster TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-08-2012
    Ran by SYSTEM at 11-08-2012 19:09:38
    Running from K:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [CCUTRAYICON] FactoryMode [x]
    HKLM\...\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [1441792 2007-03-02] ()
    HKLM\...\Run: [WD Button Manager] WDBtnMgr.exe [x]
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM\...\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [563984 2007-10-25] ()
    HKLM\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide [2178832 2007-10-25] ()
    HKLM\...\Run: [Auto Run Software for Photo Frame] "C:\Program Files\Philips\Auto Run Software for Photo Frame\PhotoManager.exe" /autorun [x]
    HKLM\...\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [398728 2008-01-29] (Symantec Corporation)
    HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
    HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-05-11] (Adobe Systems Incorporated)
    HKLM\...\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe [45108 2002-09-23] (ScanSoft, Inc.)
    HKLM\...\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe [x]
    HKLM\...\Run: [PP8 Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini" [x]
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [413696 2009-01-05] (Apple Inc.)
    HKLM\...\Run: [DACSMiniApp] C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe [128256 2008-03-13] (Mattel Inc.)
    HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13789728 2009-06-26] (NVIDIA Corporation)
    HKLM\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
    HKU\Default\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
    HKU\Default User\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
    HKU\Foster\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Foster\...\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup [454784 2007-03-15] (Linksys, a Division of Cisco Systems, Inc.)
    HKU\Foster\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
    HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
    HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [462920 2012-07-03] (Malwarebytes Corporation)
    Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
    ShortcutTarget: Snapfish Media Detector.lnk -> C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe ()

    ================================ Services (Whitelisted) ==================

    3 AlertService; "C:\Program Files\Intel\IntelDH\CCU\AlertService.exe" [188416 2006-09-11] (Intel(R) Corporation)
    2 DQLWinService; "C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [208896 2006-09-03] ()
    2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    2 IntelDHSvcConf; "C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [29696 2006-05-10] (Intel(R) Corporation)
    3 ISSM; "C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe" [75264 2006-09-11] (Intel(R) Corporation)
    3 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [121360 2008-05-01] (Logitech, Inc.)
    2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)
    2 LVCOMSer; "C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe" [186904 2007-10-19] (Logitech Inc.)
    2 LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [141848 2007-10-19] (Logitech Inc.)
    3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] ()
    2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    3 MCLServiceATL; "C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe" [167936 2006-09-11] (Intel(R) Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    3 Remote UI Service; "C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe" [544256 2006-09-11] (Intel(R) Corporation)
    2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [763840 2012-07-11] (Enigma Software Group USA, LLC.)
    2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]
    2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
    3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

    ========================== Drivers (Whitelisted) =============

    4 adpu160m; C:\Windows\system32\drivers\adpu160m.sys [98408 2006-11-02] (Adaptec, Inc.)
    3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.)
    2 Aspi32; C:\Windows\System32\drivers\aspi32.sys [16512 2003-06-10] (Adaptec)
    1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [371248 2010-10-18] (Symantec Corporation)
    2 elagopro; C:\Windows\System32\DRIVERS\elagopro.sys [28672 2007-03-22] (Gteko Ltd.)
    2 elaunidr; C:\Windows\System32\DRIVERS\elaunidr.sys [5376 2007-03-22] (Gteko Ltd.)
    3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [391168 2009-03-19] (Hauppauge Computer Works, Inc)
    2 LBeepKE; C:\Windows\System32\Drivers\LBeepKE.sys [3712 2006-06-29] (Logitech, Inc.)
    3 LHidKe; C:\Windows\System32\DRIVERS\LHidKE.Sys [27264 2006-05-10] (Logitech, Inc.)
    3 LVcKap; C:\Windows\System32\DRIVERS\LVcKap.sys [2109976 2007-10-19] (Logitech Inc.)
    3 LVMVDrv; C:\Windows\System32\DRIVERS\LVMVDrv.sys [2142488 2007-10-11] (Logitech Inc.)
    3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25624 2007-10-11] ()
    3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [41752 2007-07-18] (Logitech Inc.)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
    3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-08-11] (Malwarebytes Corporation)
    2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2007-09-15] (RealNetworks, Inc.)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-11 19:09 - 2012-08-11 19:09 - 00000000 ____D C:\FRST
    2012-08-11 14:31 - 2012-08-11 14:58 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000868 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000868 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000000 ____D C:\Users\Foster\Application Data\Malwarebytes
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000000 ____D C:\Users\Foster\AppData\Roaming\Malwarebytes
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-08-11 14:30 - 2012-08-11 14:31 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2012-08-11 14:30 - 2012-07-03 09:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-11 14:28 - 2012-08-11 14:24 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Foster\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-11 13:46 - 2012-08-11 13:46 - 00002041 ____A C:\Users\Foster\Desktop\SpyHunter.lnk
    2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
    2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\sh4ldr
    2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\Program Files\Enigma Software Group
    2012-08-11 13:46 - 2012-08-11 13:46 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
    2012-08-11 12:19 - 2012-08-11 12:19 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-11 12:08 - 2012-08-11 12:08 - 10288512 ____A (Microsoft Corporation) C:\Users\Foster\Downloads\mseinstall (1).exe
    2012-08-11 12:05 - 2012-08-11 12:05 - 00136352 ____A C:\Windows\Minidump\Mini081112-01.dmp
    2012-08-11 12:05 - 2012-08-11 12:05 - 00000000 ____D C:\Windows\Minidump
    2012-08-11 12:04 - 2012-08-11 12:04 - 125547671 ____A C:\Windows\MEMORY.DMP
    2012-08-11 11:13 - 2012-08-11 13:27 - 00000680 ____A C:\Users\Foster\Local Settings\d3d9caps.dat
    2012-08-11 11:13 - 2012-08-11 13:27 - 00000680 ____A C:\Users\Foster\Local Settings\Application Data\d3d9caps.dat
    2012-08-11 11:13 - 2012-08-11 13:27 - 00000680 ____A C:\Users\Foster\AppData\Local\d3d9caps.dat
    2012-08-11 10:39 - 2012-08-11 12:09 - 00000000 ____D C:\Windows\pss
    2012-08-11 10:07 - 2012-08-11 10:07 - 00000000 ____D C:\Program Files\Microsoft Security Client(2)
    2012-07-29 09:51 - 2012-07-29 09:51 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-17 12:37 - 2012-07-17 12:37 - 00000000 ____D C:\Users\Foster\Local Settings\Macromedia
    2012-07-17 12:37 - 2012-07-17 12:37 - 00000000 ____D C:\Users\Foster\Local Settings\Application Data\Macromedia
    2012-07-17 12:37 - 2012-07-17 12:37 - 00000000 ____D C:\Users\Foster\AppData\Local\Macromedia
    2012-07-14 06:32 - 2012-08-10 20:00 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-14 06:32 - 2012-08-03 00:00 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-07-12 00:01 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    ============ 3 Months Modified Files ========================

    2012-08-11 16:02 - 2006-11-02 02:22 - 43515904 ____A C:\Windows\System32\config\software_previous
    2012-08-11 16:02 - 2006-11-02 02:22 - 23330816 ____A C:\Windows\System32\config\system_previous
    2012-08-11 15:58 - 2006-11-02 02:22 - 40108032 ____A C:\Windows\System32\config\components_previous
    2012-08-11 15:58 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-08-11 14:58 - 2012-08-11 14:31 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000868 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-11 14:31 - 2012-08-11 14:31 - 00000868 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-11 14:24 - 2012-08-11 14:28 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Foster\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-11 13:46 - 2012-08-11 13:46 - 00002041 ____A C:\Users\Foster\Desktop\SpyHunter.lnk
    2012-08-11 13:27 - 2012-08-11 11:13 - 00000680 ____A C:\Users\Foster\Local Settings\d3d9caps.dat
    2012-08-11 13:27 - 2012-08-11 11:13 - 00000680 ____A C:\Users\Foster\Local Settings\Application Data\d3d9caps.dat
    2012-08-11 13:27 - 2012-08-11 11:13 - 00000680 ____A C:\Users\Foster\AppData\Local\d3d9caps.dat
    2012-08-11 13:04 - 2006-11-02 02:33 - 00706778 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-11 12:27 - 2010-04-17 11:56 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
    2012-08-11 12:26 - 2010-04-12 12:54 - 00048318 ____A C:\Users\All Users\nvModes.dat
    2012-08-11 12:26 - 2010-04-12 12:54 - 00048318 ____A C:\Users\All Users\nvModes.001
    2012-08-11 12:26 - 2010-04-12 12:54 - 00048318 ____A C:\Users\All Users\Application Data\nvModes.dat
    2012-08-11 12:26 - 2010-04-12 12:54 - 00048318 ____A C:\Users\All Users\Application Data\nvModes.001
    2012-08-11 12:26 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-11 12:26 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-11 12:26 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-11 12:21 - 2011-02-10 20:26 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-11 12:21 - 2007-07-05 19:50 - 01332819 ____A C:\Windows\WindowsUpdate.log
    2012-08-11 12:08 - 2012-08-11 12:08 - 10288512 ____A (Microsoft Corporation) C:\Users\Foster\Downloads\mseinstall (1).exe
    2012-08-11 12:05 - 2012-08-11 12:05 - 00136352 ____A C:\Windows\Minidump\Mini081112-01.dmp
    2012-08-11 12:04 - 2012-08-11 12:04 - 125547671 ____A C:\Windows\MEMORY.DMP
    2012-08-11 11:54 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous
    2012-08-11 11:54 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-08-10 20:00 - 2012-07-14 06:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-03 00:00 - 2012-07-14 06:32 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-03 00:00 - 2011-10-08 11:06 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-12 00:19 - 2006-11-02 04:47 - 00312536 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-12 00:17 - 2006-11-02 05:01 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-11 23:02 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-07-03 09:46 - 2012-08-11 14:30 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-13 05:40 - 2012-07-12 00:01 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-11 20:49 - 2012-06-11 20:49 - 16808240 ____A (Mozilla) C:\Users\Foster\Downloads\yahoo_firefox_13.0_setup_us.exe
    2012-06-08 09:47 - 2012-07-10 23:40 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-05 08:47 - 2012-07-10 23:40 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-05 08:47 - 2012-07-10 23:40 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-04 07:26 - 2012-07-10 23:40 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-08 15:07 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-08 15:07 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-08 15:07 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-08 15:07 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-08 15:07 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:12 - 2012-06-08 15:07 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:12 - 2012-06-08 15:07 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-08 15:07 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:12 - 2012-06-08 15:07 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 01:07 - 2012-07-11 23:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 23:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 00:23 - 2012-07-11 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 00:21 - 2012-07-11 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 23:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 00:17 - 2012-07-11 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-01 16:04 - 2012-07-10 23:40 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:03 - 2012-07-10 23:40 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

    ZeroAccess:
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\n
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L\00000004.@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L\201d3dde
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U\00000004.@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U\00000008.@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U\000000cb.@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U\80000000.@
    C:\Windows\Installer\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U\80000032.@

    ZeroAccess:
    C:\Users\Foster\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}
    C:\Users\Foster\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\@
    C:\Users\Foster\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\L
    C:\Users\Foster\AppData\Local\{79b005e2-7326-8a47-eca5-cdb3a313f029}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 17%
    Total physical RAM: 3069.88 MB
    Available physical RAM: 2535.45 MB
    Total Pagefile: 2775.16 MB
    Available Pagefile: 2599.4 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.51 MB

    ======================= Partitions =========================

    1 Drive c: (HP) (Fixed) (Total:289.16 GB) (Free:11.55 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (Recovery) (Fixed) (Total:8.92 GB) (Free:1.01 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (HP_PAVILION) (Fixed) (Total:298.09 GB) (Free:297.99 GB) NTFS
    9 Drive k: () (Removable) (Total:0.96 GB) (Free:0.95 GB) FAT
    10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 1528 KB
    Disk 1 Online 298 GB 1528 KB
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 Online 983 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 289 GB 32 KB
    Partition 2 Primary 9 GB 289 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 289 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 D Recovery NTFS Partition 9 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 298 GB 32 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 E HP_PAVILION NTFS Partition 298 GB Healthy

    ==================================================================================

    Partitions of Disk 6:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 983 MB 16 KB

    ==================================================================================

    Disk: 6
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K FAT Removable 983 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-11 12:16

    ======================= End Of Log ==========================
     
  5. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...