TechSpot

Trojan Win64/Sirefef.Y

By venom254
Oct 4, 2012
  1. Trojan Win64/Sirefef.Y

    Hi my step dads computer has this virus and its kicking my ***. Its restarting every minute and I cant do anything. I have run frs. and here is the log.
    can result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-10-2012 01
    Ran by SYSTEM at 03-10-2012 20:56:07
    Running from D:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2799912 2012-02-02] (Synaptics Incorporated)
    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2012-02-02] (IDT, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\IntelĀ® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
    HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2012-02-02] (Renesas Electronics Corporation)
    HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)
    HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [574008 2011-07-11] (Hewlett-Packard Development Company, L.P.)
    HKLM-x32\...\Run: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [87336 2011-03-30] (CyberLink Corp.)
    HKLM-x32\...\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2012-02-03] (cyberlink)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKU\Guest\...\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe -update activex [x]
    HKU\jody\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

    ==================== Services (Whitelisted) ===================

    2 CLKMSVC10_38F51D56; "C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\kmsvc.exe" /svc [241648 2011-02-24] (CyberLink)
    3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1071160 2011-02-15] (Hewlett-Packard Development Company L.P.)
    2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.0.13\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) =====================

    1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120215.001\BHDrvx64.sys [1157240 2011-11-30] (Symantec Corporation)
    1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-02-03] (Symantec Corporation)
    3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-02-03] (Symantec Corporation)
    1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120224.002\IDSvia64.sys [488568 2011-12-15] (Symantec Corporation)
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
    3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120225.008\ENG64.SYS [117880 2011-12-28] (Symantec Corporation)
    3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120225.008\EX64.SYS [2048632 2011-12-28] (Symantec Corporation)
    3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207000.00D\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
    1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207000.00D\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
    0 SymDS; C:\Windows\System32\drivers\NISx64\1207000.00D\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
    0 SymEFA; C:\Windows\System32\drivers\NISx64\1207000.00D\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
    3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-12-28] (Symantec Corporation)
    1 SymIRON; C:\Windows\system32\drivers\NISx64\1207000.00D\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
    1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207000.00D\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-10-03 17:46 - 2012-10-03 17:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8544FD77FD9EC3B2
    2012-10-03 17:41 - 2012-10-03 17:41 - 00000000 ____D C:\FRST
    2012-10-03 17:40 - 2012-10-03 17:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.194DFFAB70A8D7FB
    2012-10-03 17:36 - 2012-10-03 17:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.844FB182A62F0BB1
    2012-10-03 17:34 - 2012-10-03 17:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5A5D176DC73C47B4
    2012-10-03 17:30 - 2012-10-03 17:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB9B8F8F768342A3
    2012-10-03 17:25 - 2012-10-03 17:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D0D97392E8C94EE
    2012-10-03 17:22 - 2012-10-03 17:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EB841C62C24FD8E
    2012-10-03 17:19 - 2012-10-03 17:19 - 13529576 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall (1).exe
    2012-10-03 17:15 - 2012-10-03 17:48 - 00000392 ____A C:\Windows\setupact.log
    2012-10-03 17:15 - 2012-10-03 17:44 - 00002258 ____A C:\Windows\PFRO.log
    2012-10-03 17:15 - 2012-10-03 17:15 - 00000000 ____A C:\Windows\setuperr.log
    2012-10-02 09:38 - 2012-10-02 09:38 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-10-02 08:14 - 2012-10-02 08:23 - 83023306 ___AT C:\Users\All Users\424c029.pad
    2012-10-02 07:57 - 2012-10-02 07:57 - 00188416 ____A (?????????? ??????????) C:\Users\jody\Documents\920c424.dll
    2012-09-25 10:38 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
    2012-09-24 18:38 - 2012-09-24 18:38 - 00000000 ____D C:\Users\jody\AppData\Local\{E2DA8629-8C61-42B4-9350-802C95C4E6BA}
    2012-09-23 03:13 - 2012-09-23 03:13 - 00000000 ____D C:\Users\jody\AppData\Local\Hewlett-Packard_Developme
    2012-09-22 13:34 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-09-22 13:34 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-09-22 13:34 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-09-22 13:34 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-09-22 13:34 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-09-22 13:34 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-09-22 13:34 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-09-22 13:34 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-09-22 13:34 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-09-22 13:34 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-09-22 13:34 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-09-22 13:34 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-09-22 13:34 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-09-22 13:34 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-09-22 13:34 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-09-22 13:34 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-09-22 13:34 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-09-22 13:34 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-09-22 13:34 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-09-22 13:34 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-09-22 13:34 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-09-22 13:34 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-09-22 13:34 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-09-22 13:34 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-09-22 13:34 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-09-22 13:34 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2012-09-22 13:34 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-09-22 13:34 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-09-22 13:34 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-09-22 13:34 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-09-22 13:34 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-09-22 13:34 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\jody\Documents\Blio
    2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\jody\AppData\Roaming\Blio
    2012-09-18 17:16 - 2012-09-18 17:16 - 00000000 ____D C:\Users\All Users\Blio
    2012-09-18 11:25 - 2012-09-18 11:25 - 00000000 ____D C:\Users\jody\AppData\Local\{80382E78-98E9-4CE9-921F-ED1C72C5160D}
    2012-09-12 02:17 - 2012-09-12 02:17 - 00000000 ____D C:\Users\jody\AppData\Local\{1E2AF1C8-7D16-4DA1-9D9A-86DDBCC4E554}
    2012-09-11 14:37 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-09-11 14:37 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
    2012-09-11 14:37 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
    2012-09-11 14:37 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2012-09-11 14:37 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
    2012-09-11 14:37 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2012-09-11 14:37 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys

    ==================== 3 Months Modified Files ==================

    2012-10-03 17:48 - 2012-10-03 17:15 - 00000392 ____A C:\Windows\setupact.log
    2012-10-03 17:46 - 2012-10-03 17:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8544FD77FD9EC3B2
    2012-10-03 17:44 - 2012-10-03 17:15 - 00002258 ____A C:\Windows\PFRO.log
    2012-10-03 17:40 - 2012-10-03 17:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.194DFFAB70A8D7FB
    2012-10-03 17:40 - 2012-05-15 15:47 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-10-03 17:39 - 2012-05-15 15:47 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-10-03 17:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-10-03 17:36 - 2012-10-03 17:36 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.844FB182A62F0BB1
    2012-10-03 17:34 - 2012-10-03 17:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5A5D176DC73C47B4
    2012-10-03 17:30 - 2012-10-03 17:30 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EB9B8F8F768342A3
    2012-10-03 17:25 - 2012-10-03 17:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1D0D97392E8C94EE
    2012-10-03 17:22 - 2012-10-03 17:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1EB841C62C24FD8E
    2012-10-03 17:21 - 2012-08-19 10:27 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-10-03 17:19 - 2012-10-03 17:19 - 13529576 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall (1).exe
    2012-10-03 17:15 - 2012-10-03 17:15 - 00000000 ____A C:\Windows\setuperr.log
    2012-10-03 16:42 - 2012-05-15 15:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-10-03 16:32 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-10-03 16:32 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-10-02 17:59 - 2009-07-13 21:13 - 00730472 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-10-02 08:23 - 2012-10-02 08:14 - 83023306 ___AT C:\Users\All Users\424c029.pad
    2012-10-02 07:57 - 2012-10-02 07:57 - 00188416 ____A (?????????? ??????????) C:\Users\jody\Documents\920c424.dll
    2012-09-29 12:32 - 2012-08-19 10:38 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForjody.job
    2012-09-28 18:05 - 2011-12-29 17:26 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
    2012-09-21 02:42 - 2012-05-15 15:47 - 00696240 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-09-21 02:42 - 2012-05-15 15:47 - 00073136 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-09-12 02:16 - 2012-01-19 20:10 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-09-07 14:04 - 2012-08-19 13:25 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-30 19:03 - 2012-08-30 19:03 - 00228768 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
    2012-08-30 19:03 - 2012-03-20 17:44 - 00128456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
    2012-08-24 03:15 - 2012-09-22 13:34 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-08-24 02:39 - 2012-09-22 13:34 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-08-24 02:31 - 2012-09-22 13:34 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-08-24 02:22 - 2012-09-22 13:34 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-08-24 02:21 - 2012-09-22 13:34 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-08-24 02:20 - 2012-09-22 13:34 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-08-24 02:18 - 2012-09-22 13:34 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-08-24 02:17 - 2012-09-22 13:34 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-08-24 02:14 - 2012-09-22 13:34 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-08-24 02:14 - 2012-09-22 13:34 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-08-24 02:13 - 2012-09-22 13:34 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2012-08-24 02:12 - 2012-09-22 13:34 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-08-24 02:11 - 2012-09-22 13:34 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2012-08-24 02:10 - 2012-09-22 13:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-08-24 02:09 - 2012-09-22 13:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-08-24 02:04 - 2012-09-22 13:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-08-23 23:27 - 2012-09-22 13:34 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-08-23 23:03 - 2012-09-22 13:34 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-08-23 22:59 - 2012-09-22 13:34 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-08-23 22:51 - 2012-09-22 13:34 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-08-23 22:51 - 2012-09-22 13:34 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-08-23 22:51 - 2012-09-22 13:34 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-08-23 22:49 - 2012-09-22 13:34 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-08-23 22:48 - 2012-09-22 13:34 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-08-23 22:47 - 2012-09-22 13:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-08-23 22:47 - 2012-09-22 13:34 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2012-08-23 22:47 - 2012-09-22 13:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-08-23 22:45 - 2012-09-22 13:34 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2012-08-23 22:44 - 2012-09-22 13:34 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-08-23 22:44 - 2012-09-22 13:34 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-08-23 22:43 - 2012-09-22 13:34 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-08-23 22:40 - 2012-09-22 13:34 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-08-22 10:12 - 2012-09-11 14:37 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
    2012-08-22 10:12 - 2012-09-11 14:37 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
    2012-08-22 10:12 - 2012-09-11 14:37 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
    2012-08-22 10:12 - 2012-09-11 14:37 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
    2012-08-21 17:31 - 2011-06-21 11:31 - 00002590 ____N C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
    2012-08-21 17:30 - 2012-08-21 17:30 - 00002590 ____N C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
    2012-08-21 16:43 - 2012-08-21 16:43 - 00002212 ____A C:\Users\Public\Desktop\Google Earth.lnk
    2012-08-21 13:01 - 2012-09-25 10:38 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe
    2012-08-19 13:25 - 2012-08-19 13:25 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-19 13:14 - 2009-07-13 20:45 - 00276072 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-19 11:20 - 2012-01-02 10:48 - 00744796 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-19 11:19 - 2012-08-19 11:19 - 12621696 ____A (Microsoft Corporation) C:\Users\jody\Downloads\mseinstall.exe
    2012-08-19 11:17 - 2012-08-19 11:17 - 00002255 ____A C:\Users\jody\Desktop\Google Chrome.lnk
    2012-08-19 10:28 - 2012-08-19 10:28 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
    2012-08-19 09:18 - 2012-08-19 10:10 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\jody\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-02 09:58 - 2012-09-11 14:37 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
    2012-08-02 08:57 - 2012-09-11 14:37 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2012-07-18 10:15 - 2012-08-19 10:29 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys


    ZeroAccess:
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\@
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L\00000004.@
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L\201d3dde
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U\00000004.@
    C:\Windows\Installer\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U\80000064.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ZeroAccess:
    C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}
    C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\@
    C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\L
    C:\Users\jody\AppData\Local\{15ee5b63-1445-da6b-fe0d-a89417cd27d0}\U

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-08-28 14:21:59
    Restore point made on: 2012-09-04 14:36:32
    Restore point made on: 2012-09-07 17:17:47
    Restore point made on: 2012-09-11 14:46:13
    Restore point made on: 2012-09-12 02:16:04
    Restore point made on: 2012-09-16 15:24:53
    Restore point made on: 2012-09-18 15:34:58
    Restore point made on: 2012-09-20 12:44:27
    Restore point made on: 2012-09-22 13:33:57
    Restore point made on: 2012-09-27 11:29:26
    Restore point made on: 2012-10-01 12:25:17

    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 6091.86 MB
    Available physical RAM: 5292.93 MB
    Total Pagefile: 6090.01 MB
    Available Pagefile: 5293.57 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ==================== Partitions =============================

    1 Drive c: () (Fixed) (Total:684.13 GB) (Free:626.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: (PRINCESS CK) (Removable) (Total:3.74 GB) (Free:3.17 GB) FAT32
    3 Drive f: (RECOVERY) (Fixed) (Total:14.21 GB) (Free:1.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive g: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 698 GB 0 B
    Disk 1 Online 3835 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 199 MB 1024 KB
    Partition 2 Primary 684 GB 200 MB
    Partition 3 Primary 14 GB 684 GB
    Partition 4 Primary 102 MB 698 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 684 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F RECOVERY NTFS Partition 14 GB Healthy

    =========================================================

    Disk: 0
    Partition 4
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G HP_TOOLS FAT32 Partition 102 MB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3827 MB 19 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 D PRINCESS CK FAT32 Removable 3827 MB Healthy

    =========================================================

    Last Boot: 2012-10-02 09:21

    ==================== End Of Log =============================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.
     
  3. venom254

    venom254 TS Rookie Topic Starter

    Dupe...
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You posted same log.
    I still need search results log.
    Re-read my instructions.
     
  5. venom254

    venom254 TS Rookie Topic Starter

    -.- I did soo sorry
    Farbar Recovery Scan Tool (x64) Version: 02-10-2012 01
    Ran by SYSTEM at 2012-10-03 23:55:55
    Running from H:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\system64\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

    ====== End Of Search ======
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    =====================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ===================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =================================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    Alternate download: http://www.filehippo.com/download_malwarebytes_anti_malware/
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...