Inactive Trojan Win64/Sirefef.Y

Status
Not open for further replies.
[FONT=arial]Trojan Win64/Sirefef.Y[/FONT]

[FONT=arial]Hi my step dads computer has this virus and its kicking my ***. Its restarting every minute and I cant do anything. I have run frs. and here is the log. [/FONT]
[FONT=arial]can result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01[/FONT]
[FONT=arial]Ran by SYSTEM at 03-10-2012 20:56:07[/FONT]
[FONT=arial]Running from D:\[/FONT]
[FONT=arial]Windows 7 Home Premium (X64) OS Language: English(US) [/FONT]
[FONT=arial]The current controlset is ControlSet001[/FONT]

[FONT=arial]==================== Registry (Whitelisted) ===================[/FONT]

[FONT=arial]HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2012-02-02] (Synaptics Incorporated)[/FONT]
[FONT=arial]HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2012-02-02] (IDT, Inc.)[/FONT]
[FONT=arial]HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2012-02-02] (Renesas Electronics Corporation)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [574008 2011-07-11] (Hewlett-Packard Development Company, L.P.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [87336 2011-03-30] (CyberLink Corp.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2012-02-03] (cyberlink)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)[/FONT]
[FONT=arial]HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)[/FONT]
[FONT=arial]HKU\Guest\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe -update activex [x][/FONT]
[FONT=arial]HKU\jody\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)[/FONT]
[FONT=arial]Tcpip\Parameters: [DhcpNameServer] 192.168.1.1[/FONT]

[FONT=arial]==================== Services (Whitelisted) ===================[/FONT]

[FONT=arial]2 CLKMSVC10_38F51D56; "C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe" /svc [241648 2011-02-24] (CyberLink)[/FONT]
[FONT=arial]3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1071160 2011-02-15] (Hewlett-Packard Development Company L.P.)[/FONT]
[FONT=arial]2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)[/FONT]
[FONT=arial]2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)[/FONT]
[FONT=arial]2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)[/FONT]
[FONT=arial]2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.0.13\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)[/FONT]
[FONT=arial]3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)[/FONT]

[FONT=arial]==================== Drivers (Whitelisted) =====================[/FONT]

[FONT=arial]1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120215.001\BHDrvx64.sys [1157240 2011-11-30] (Symantec Corporation)[/FONT]
[FONT=arial]1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-02-03] (Symantec Corporation)[/FONT]
[FONT=arial]3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-02-03] (Symantec Corporation)[/FONT]
[FONT=arial]1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120224.002\IDSvia64.sys [488568 2011-12-15] (Symantec Corporation)[/FONT]
[FONT=arial]3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)[/FONT]
[FONT=arial]3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120225.008\ENG64.SYS [117880 2011-12-28] (Symantec Corporation)[/FONT]
[FONT=arial]3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120225.008\EX64.SYS [2048632 2011-12-28] (Symantec Corporation)[/FONT]
[FONT=arial]3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207000.00D\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)[/FONT]
[FONT=arial]1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207000.00D\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)[/FONT]
[FONT=arial]0 SymDS; C:\Windows\System32\drivers\NISx64\1207000.00D\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)[/FONT]
[FONT=arial]0 SymEFA; C:\Windows\System32\drivers\NISx64\1207000.00D\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)[/FONT]
[FONT=arial]3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-12-28] (Symantec Corporation)[/FONT]
[FONT=arial]1 SymIRON; C:\Windows\system32\drivers\NISx64\1207000.00D\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)[/FONT]
[FONT=arial]1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207000.00D\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)[/FONT]

[FONT=arial]==================== NetSvcs (Whitelisted) ====================[/FONT]


[FONT=arial]==================== One Month Created Files and Folders ========[/FONT]

[FONT=arial]2012-10-03 17:46 - 2012-10-03 17:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8544FD77FD9EC3B2[/FONT]
[FONT=arial]2012-10-03 17:41 - 2012-10-03 17:41 - 00000000 ____D C:\FRST[/FONT]
[FONT=arial]2012-10-03 17:40 - 2012-10-03 17:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.194DFFAB70A8D7FB[/FONT]
[FONT=arial]2012-10-03 17:36 - 2012-10-03 17:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.844FB182A62F0BB1[/FONT]
[FONT=arial]2012-10-03 17:34 - 2012-10-03 17:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5A5D176DC73C47B4[/FONT]
[FONT=arial]2012-10-03 17:30 - 2012-10-03 17:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB9B8F8F768342A3[/FONT]
[FONT=arial]2012-10-03 17:25 - 2012-10-03 17:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D0D97392E8C94EE[/FONT]
[FONT=arial]2012-10-03 17:22 - 2012-10-03 17:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EB841C62C24FD8E[/FONT]
[FONT=arial]2012-10-03 17:19 - 2012-10-03 17:19 - 13529576 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall (1).exe[/FONT]
[FONT=arial]2012-10-03 17:15 - 2012-10-03 17:48 - 00000392 ____A C:\Windows\setupact.log[/FONT]
[FONT=arial]2012-10-03 17:15 - 2012-10-03 17:44 - 00002258 ____A C:\Windows\PFRO.log[/FONT]
[FONT=arial]2012-10-03 17:15 - 2012-10-03 17:15 - 00000000 ____A C:\Windows\setuperr.log[/FONT]
[FONT=arial]2012-10-02 09:38 - 2012-10-02 09:38 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%[/FONT]
[FONT=arial]2012-10-02 08:14 - 2012-10-02 08:23 - 83023306 ___AT C:\Users\All Users\424c029.pad[/FONT]
[FONT=arial]2012-10-02 07:57 - 2012-10-02 07:57 - 00188416 ____A (?????????? ??????????) C:\Users\jody\Documents\920c424.dll[/FONT]
[FONT=arial]2012-09-25 10:38 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe[/FONT]
[FONT=arial]2012-09-24 18:38 - 2012-09-24 18:38 - 00000000 ____D C:\Users\jody\AppData\Local\{E2DA8629-8C61-42B4-9350-802C95C4E6BA}[/FONT]
[FONT=arial]2012-09-23 03:13 - 2012-09-23 03:13 - 00000000 ____D C:\Users\jody\AppData\Local\Hewlett-Packard_Developme[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb[/FONT]
[FONT=arial]2012-09-22 13:34 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll[/FONT]
[FONT=arial]2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\jody\Documents\Blio[/FONT]
[FONT=arial]2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\jody\AppData\Roaming\Blio[/FONT]
[FONT=arial]2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\All Users\Blio[/FONT]
[FONT=arial]2012-09-18 11:25 - 2012-09-18 11:25 - 00000000 ____D C:\Users\jody\AppData\Local\{80382E78-98E9-4CE9-921F-ED1C72C5160D}[/FONT]
[FONT=arial]2012-09-12 02:17 - 2012-09-12 02:17 - 00000000 ____D C:\Users\jody\AppData\Local\{1E2AF1C8-7D16-4DA1-9D9A-86DDBCC4E554}[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll[/FONT]
[FONT=arial]2012-09-11 14:37 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys[/FONT]

[FONT=arial]==================== 3 Months Modified Files ==================[/FONT]

[FONT=arial]2012-10-03 17:48 - 2012-10-03 17:15 - 00000392 ____A C:\Windows\setupact.log[/FONT]
[FONT=arial]2012-10-03 17:46 - 2012-10-03 17:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8544FD77FD9EC3B2[/FONT]
[FONT=arial]2012-10-03 17:44 - 2012-10-03 17:15 - 00002258 ____A C:\Windows\PFRO.log[/FONT]
[FONT=arial]2012-10-03 17:40 - 2012-10-03 17:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.194DFFAB70A8D7FB[/FONT]
[FONT=arial]2012-10-03 17:40 - 2012-05-15 15:47 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job[/FONT]
[FONT=arial]2012-10-03 17:39 - 2012-05-15 15:47 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job[/FONT]
[FONT=arial]2012-10-03 17:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT[/FONT]
[FONT=arial]2012-10-03 17:36 - 2012-10-03 17:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.844FB182A62F0BB1[/FONT]
[FONT=arial]2012-10-03 17:34 - 2012-10-03 17:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5A5D176DC73C47B4[/FONT]
[FONT=arial]2012-10-03 17:30 - 2012-10-03 17:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB9B8F8F768342A3[/FONT]
[FONT=arial]2012-10-03 17:25 - 2012-10-03 17:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D0D97392E8C94EE[/FONT]
[FONT=arial]2012-10-03 17:22 - 2012-10-03 17:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EB841C62C24FD8E[/FONT]
[FONT=arial]2012-10-03 17:21 - 2012-08-19 10:27 - 00001945 ____A C:\Windows\epplauncher.mif[/FONT]
[FONT=arial]2012-10-03 17:19 - 2012-10-03 17:19 - 13529576 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall (1).exe[/FONT]
[FONT=arial]2012-10-03 17:15 - 2012-10-03 17:15 - 00000000 ____A C:\Windows\setuperr.log[/FONT]
[FONT=arial]2012-10-03 16:42 - 2012-05-15 15:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job[/FONT]
[FONT=arial]2012-10-03 16:32 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0[/FONT]
[FONT=arial]2012-10-03 16:32 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0[/FONT]
[FONT=arial]2012-10-02 17:59 - 2009-07-13 21:13 - 00730472 ____A C:\Windows\System32\PerfStringBackup.INI[/FONT]
[FONT=arial]2012-10-02 08:23 - 2012-10-02 08:14 - 83023306 ___AT C:\Users\All Users\424c029.pad[/FONT]
[FONT=arial]2012-10-02 07:57 - 2012-10-02 07:57 - 00188416 ____A (?????????? ??????????) C:\Users\jody\Documents\920c424.dll[/FONT]
[FONT=arial]2012-09-29 12:32 - 2012-08-19 10:38 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForjody.job[/FONT]
[FONT=arial]2012-09-28 18:05 - 2011-12-29 17:26 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log[/FONT]
[FONT=arial]2012-09-21 02:42 - 2012-05-15 15:47 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe[/FONT]
[FONT=arial]2012-09-21 02:42 - 2012-05-15 15:47 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl[/FONT]
[FONT=arial]2012-09-12 02:16 - 2012-01-19 20:10 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe[/FONT]
[FONT=arial]2012-09-07 14:04 - 2012-08-19 13:25 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys[/FONT]
[FONT=arial]2012-08-30 19:03 - 2012-08-30 19:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys[/FONT]
[FONT=arial]2012-08-30 19:03 - 2012-03-20 17:44 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys[/FONT]
[FONT=arial]2012-08-24 03:15 - 2012-09-22 13:34 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll[/FONT]
[FONT=arial]2012-08-24 02:39 - 2012-09-22 13:34 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll[/FONT]
[FONT=arial]2012-08-24 02:31 - 2012-09-22 13:34 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll[/FONT]
[FONT=arial]2012-08-24 02:22 - 2012-09-22 13:34 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll[/FONT]
[FONT=arial]2012-08-24 02:21 - 2012-09-22 13:34 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll[/FONT]
[FONT=arial]2012-08-24 02:20 - 2012-09-22 13:34 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl[/FONT]
[FONT=arial]2012-08-24 02:18 - 2012-09-22 13:34 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll[/FONT]
[FONT=arial]2012-08-24 02:17 - 2012-09-22 13:34 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll[/FONT]
[FONT=arial]2012-08-24 02:14 - 2012-09-22 13:34 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll[/FONT]
[FONT=arial]2012-08-24 02:14 - 2012-09-22 13:34 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe[/FONT]
[FONT=arial]2012-08-24 02:13 - 2012-09-22 13:34 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll[/FONT]
[FONT=arial]2012-08-24 02:12 - 2012-09-22 13:34 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll[/FONT]
[FONT=arial]2012-08-24 02:11 - 2012-09-22 13:34 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll[/FONT]
[FONT=arial]2012-08-24 02:10 - 2012-09-22 13:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll[/FONT]
[FONT=arial]2012-08-24 02:09 - 2012-09-22 13:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb[/FONT]
[FONT=arial]2012-08-24 02:04 - 2012-09-22 13:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll[/FONT]
[FONT=arial]2012-08-23 23:27 - 2012-09-22 13:34 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll[/FONT]
[FONT=arial]2012-08-23 23:03 - 2012-09-22 13:34 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll[/FONT]
[FONT=arial]2012-08-23 22:59 - 2012-09-22 13:34 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll[/FONT]
[FONT=arial]2012-08-23 22:51 - 2012-09-22 13:34 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl[/FONT]
[FONT=arial]2012-08-23 22:51 - 2012-09-22 13:34 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll[/FONT]
[FONT=arial]2012-08-23 22:51 - 2012-09-22 13:34 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll[/FONT]
[FONT=arial]2012-08-23 22:49 - 2012-09-22 13:34 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll[/FONT]
[FONT=arial]2012-08-23 22:48 - 2012-09-22 13:34 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll[/FONT]
[FONT=arial]2012-08-23 22:47 - 2012-09-22 13:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll[/FONT]
[FONT=arial]2012-08-23 22:47 - 2012-09-22 13:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll[/FONT]
[FONT=arial]2012-08-23 22:47 - 2012-09-22 13:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe[/FONT]
[FONT=arial]2012-08-23 22:45 - 2012-09-22 13:34 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll[/FONT]
[FONT=arial]2012-08-23 22:44 - 2012-09-22 13:34 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll[/FONT]
[FONT=arial]2012-08-23 22:44 - 2012-09-22 13:34 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll[/FONT]
[FONT=arial]2012-08-23 22:43 - 2012-09-22 13:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb[/FONT]
[FONT=arial]2012-08-23 22:40 - 2012-09-22 13:34 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll[/FONT]
[FONT=arial]2012-08-22 10:12 - 2012-09-11 14:37 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys[/FONT]
[FONT=arial]2012-08-22 10:12 - 2012-09-11 14:37 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys[/FONT]
[FONT=arial]2012-08-22 10:12 - 2012-09-11 14:37 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys[/FONT]
[FONT=arial]2012-08-22 10:12 - 2012-09-11 14:37 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS[/FONT]
[FONT=arial]2012-08-21 17:31 - 2011-06-21 11:31 - 00002590 ____N C:\Users\Public\Desktop\WildTangent Games App - hp.lnk[/FONT]
[FONT=arial]2012-08-21 17:30 - 2012-08-21 17:30 - 00002590 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk[/FONT]
[FONT=arial]2012-08-21 16:43 - 2012-08-21 16:43 - 00002212 ____A C:\Users\Public\Desktop\Google Earth.lnk[/FONT]
[FONT=arial]2012-08-21 13:01 - 2012-09-25 10:38 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe[/FONT]
[FONT=arial]2012-08-19 13:25 - 2012-08-19 13:25 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk[/FONT]
[FONT=arial]2012-08-19 13:14 - 2009-07-13 20:45 - 00276072 ____A C:\Windows\System32\FNTCACHE.DAT[/FONT]
[FONT=arial]2012-08-19 11:20 - 2012-01-02 10:48 - 00744796 ____A C:\Windows\SysWOW64\PerfStringBackup.INI[/FONT]
[FONT=arial]2012-08-19 11:19 - 2012-08-19 11:19 - 12621696 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall.exe[/FONT]
[FONT=arial]2012-08-19 11:17 - 2012-08-19 11:17 - 00002255 ____A C:\Users\jody\Desktop\Google Chrome.lnk[/FONT]
[FONT=arial]2012-08-19 10:28 - 2012-08-19 10:28 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk[/FONT]
[FONT=arial]2012-08-19 09:18 - 2012-08-19 10:10 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\jody\Desktop\mbam-setup-1.62.0.1300.exe[/FONT]
[FONT=arial]2012-08-02 09:58 - 2012-09-11 14:37 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll[/FONT]
[FONT=arial]2012-08-02 08:57 - 2012-09-11 14:37 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll[/FONT]
[FONT=arial]2012-07-18 10:15 - 2012-08-19 10:29 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys[/FONT]


[FONT=arial]ZeroAccess:[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\@[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L\00000004.@[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L\201d3dde[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U\00000004.@[/FONT]
[FONT=arial]C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U\80000064.@[/FONT]

[FONT=arial]ZeroAccess:[/FONT]
[FONT=arial]C:\Windows\assembly\GAC_32\Desktop.ini[/FONT]

[FONT=arial]ZeroAccess:[/FONT]
[FONT=arial]C:\Windows\assembly\GAC_64\Desktop.ini[/FONT]

[FONT=arial]ZeroAccess:[/FONT]
[FONT=arial]C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}[/FONT]
[FONT=arial]C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\@[/FONT]
[FONT=arial]C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L[/FONT]
[FONT=arial]C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U[/FONT]

[FONT=arial]==================== Known DLLs (Whitelisted) =================[/FONT]


[FONT=arial]==================== Bamital & volsnap Check =================[/FONT]

[FONT=arial]C:\Windows\System32\winlogon.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\System32\wininit.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\SysWOW64\wininit.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\explorer.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\SysWOW64\explorer.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\System32\svchost.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\SysWOW64\svchost.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.[/FONT]
[FONT=arial]C:\Windows\System32\User32.dll => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\SysWOW64\User32.dll => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\System32\userinit.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\SysWOW64\userinit.exe => MD5 is legit[/FONT]
[FONT=arial]C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit[/FONT]

[FONT=arial]==================== EXE ASSOCIATION =====================[/FONT]

[FONT=arial]HKLM\...\.exe: exefile => OK[/FONT]
[FONT=arial]HKLM\...\exefile\DefaultIcon: %1 => OK[/FONT]
[FONT=arial]HKLM\...\exefile\open\command: "%1" %* => OK[/FONT]

[FONT=arial]==================== Restore Points =========================[/FONT]

[FONT=arial]Restore point made on: 2012-08-28 14:21:59[/FONT]
[FONT=arial]Restore point made on: 2012-09-04 14:36:32[/FONT]
[FONT=arial]Restore point made on: 2012-09-07 17:17:47[/FONT]
[FONT=arial]Restore point made on: 2012-09-11 14:46:13[/FONT]
[FONT=arial]Restore point made on: 2012-09-12 02:16:04[/FONT]
[FONT=arial]Restore point made on: 2012-09-16 15:24:53[/FONT]
[FONT=arial]Restore point made on: 2012-09-18 15:34:58[/FONT]
[FONT=arial]Restore point made on: 2012-09-20 12:44:27[/FONT]
[FONT=arial]Restore point made on: 2012-09-22 13:33:57[/FONT]
[FONT=arial]Restore point made on: 2012-09-27 11:29:26[/FONT]
[FONT=arial]Restore point made on: 2012-10-01 12:25:17[/FONT]

[FONT=arial]==================== Memory info =========================== [/FONT]

[FONT=arial]Percentage of memory in use: 13%[/FONT]
[FONT=arial]Total physical RAM: 6091.86 MB[/FONT]
[FONT=arial]Available physical RAM: 5292.93 MB[/FONT]
[FONT=arial]Total Pagefile: 6090.01 MB[/FONT]
[FONT=arial]Available Pagefile: 5293.57 MB[/FONT]
[FONT=arial]Total Virtual: 8192 MB[/FONT]
[FONT=arial]Available Virtual: 8191.91 MB[/FONT]

[FONT=arial]==================== Partitions =============================[/FONT]

[FONT=arial]1 Drive c: () (Fixed) (Total:684.13 GB) (Free:626.33 GB) NTFS ==>[System with boot components (obtained from reading drive)][/FONT]
[FONT=arial]2 Drive d: (PRINCESS CK) (Removable) (Total:3.74 GB) (Free:3.17 GB) FAT32[/FONT]
[FONT=arial]3 Drive f: (RECOVERY) (Fixed) (Total:14.21 GB) (Free:1.58 GB) NTFS ==>[System with boot components (obtained from reading drive)][/FONT]
[FONT=arial]4 Drive g: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32[/FONT]
[FONT=arial]6 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS[/FONT]
[FONT=arial]7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)][/FONT]

[FONT=arial]Disk ### Status Size Free Dyn Gpt[/FONT]
[FONT=arial]-------- ------------- ------- ------- --- ---[/FONT]
[FONT=arial]Disk 0 Online 698 GB 0 B [/FONT]
[FONT=arial]Disk 1 Online 3835 MB 0 B [/FONT]

[FONT=arial]Partitions of Disk 0:[/FONT]
[FONT=arial]===============[/FONT]

[FONT=arial]Partition ### Type Size Offset[/FONT]
[FONT=arial]------------- ---------------- ------- -------[/FONT]
[FONT=arial]Partition 1 Primary 199 MB 1024 KB[/FONT]
[FONT=arial]Partition 2 Primary 684 GB 200 MB[/FONT]
[FONT=arial]Partition 3 Primary 14 GB 684 GB[/FONT]
[FONT=arial]Partition 4 Primary 102 MB 698 GB[/FONT]

[FONT=arial]==================================================================================[/FONT]

[FONT=arial]Disk: 0[/FONT]
[FONT=arial]Partition 1[/FONT]
[FONT=arial]Type : 07[/FONT]
[FONT=arial]Hidden: No[/FONT]
[FONT=arial]Active: Yes[/FONT]

[FONT=arial]Volume ### Ltr Label Fs Type Size Status Info[/FONT]
[FONT=arial]---------- --- ----------- ----- ---------- ------- --------- --------[/FONT]
[FONT=arial]* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy [/FONT]

[FONT=arial]=========================================================[/FONT]

[FONT=arial]Disk: 0[/FONT]
[FONT=arial]Partition 2[/FONT]
[FONT=arial]Type : 07[/FONT]
[FONT=arial]Hidden: No[/FONT]
[FONT=arial]Active: No[/FONT]

[FONT=arial]Volume ### Ltr Label Fs Type Size Status Info[/FONT]
[FONT=arial]---------- --- ----------- ----- ---------- ------- --------- --------[/FONT]
[FONT=arial]* Volume 2 C NTFS Partition 684 GB Healthy [/FONT]

[FONT=arial]=========================================================[/FONT]

[FONT=arial]Disk: 0[/FONT]
[FONT=arial]Partition 3[/FONT]
[FONT=arial]Type : 07[/FONT]
[FONT=arial]Hidden: No[/FONT]
[FONT=arial]Active: No[/FONT]

[FONT=arial]Volume ### Ltr Label Fs Type Size Status Info[/FONT]
[FONT=arial]---------- --- ----------- ----- ---------- ------- --------- --------[/FONT]
[FONT=arial]* Volume 3 F RECOVERY NTFS Partition 14 GB Healthy [/FONT]

[FONT=arial]=========================================================[/FONT]

[FONT=arial]Disk: 0[/FONT]
[FONT=arial]Partition 4[/FONT]
[FONT=arial]Type : 0C[/FONT]
[FONT=arial]Hidden: No[/FONT]
[FONT=arial]Active: No[/FONT]

[FONT=arial]Volume ### Ltr Label Fs Type Size Status Info[/FONT]
[FONT=arial]---------- --- ----------- ----- ---------- ------- --------- --------[/FONT]
[FONT=arial]* Volume 4 G HP_TOOLS FAT32 Partition 102 MB Healthy [/FONT]

[FONT=arial]=========================================================[/FONT]

[FONT=arial]Partitions of Disk 1:[/FONT]
[FONT=arial]===============[/FONT]

[FONT=arial]Partition ### Type Size Offset[/FONT]
[FONT=arial]------------- ---------------- ------- -------[/FONT]
[FONT=arial]Partition 1 Primary 3827 MB 19 KB[/FONT]

[FONT=arial]==================================================================================[/FONT]

[FONT=arial]Disk: 1[/FONT]
[FONT=arial]Partition 1[/FONT]
[FONT=arial]Type : 0B[/FONT]
[FONT=arial]Hidden: No[/FONT]
[FONT=arial]Active: No[/FONT]

[FONT=arial]Volume ### Ltr Label Fs Type Size Status Info[/FONT]
[FONT=arial]---------- --- ----------- ----- ---------- ------- --------- --------[/FONT]
[FONT=arial]* Volume 5 D PRINCESS CK FAT32 Removable 3827 MB Healthy [/FONT]

[FONT=arial]=========================================================[/FONT]

[FONT=arial]Last Boot: 2012-10-02 09:21[/FONT]

[FONT=arial]==================== End Of Log ============================= [/FONT]
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

========================================

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.
 
You posted same log.
I still need search results log.
Re-read my instructions.
 
-.- I did soo sorry
Farbar Recovery Scan Tool (x64) Version: 02-10-2012 01
Ran by SYSTEM at 2012-10-03 23:55:55
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\system64\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

=====================================

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

===================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

=================================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 

Attachments

  • fixlist.txt
    1.4 KB · Views: 2
Status
Not open for further replies.
Back