TechSpot

Win64/Sirefef.A infection

By despe666
Jun 29, 2012
  1. Hello, I have a Sirefef.A infection, MS malware scanner detects it but can't fix it. I have run a scan and a search for services.exe in FRST64 like explained in many threads and here are the scan and search results.

    Thanks for your help

    ============

    Scan result of Farbar Recovery Scan Tool Version: 28-06-2012 02
    Ran by SYSTEM at 29-06-2012 09:23:14
    Running from I:\
    Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [89456 2011-03-07] (Elaborate Bytes AG)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [WinSSHD Activation State Checker] "C:\Program Files (x86)\Bitvise WinSSHD\WinsshdActStateCheck.exe" [247464 2012-05-02] (Bitvise)
    HKU\Administrator\...\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-27] (Google Inc.)
    HKU\Administrator\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    Tcpip\..\Interfaces\{48C7F69C-AFE4-4CC3-A175-8A61947366DD}: [NameServer]207.164.234.129,207.164.234.193
    Lsa: [Authentication Packages] msv1_0
    vdspka10
    Lsa: [Notification Packages] scecli
    rassfm

    ==================== Services (Whitelisted) ======

    2 AppHostSvc; C:\Windows\SysWow64\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
    3 FCRegSvc; C:\Windows\System32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
    2 FileMaker Server; "C:\Program Files (x86)\FileMaker\FileMaker Server\Database Server\fmshelper.exe" [225096 2010-06-02] (FileMaker, Inc.)
    3 RSoPProv; C:\Windows\System32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
    3 sacsvr; C:\Windows\System32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)
    2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
    2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
    3 WAS; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
    2 WinSSHD; "C:\Program Files (x86)\Bitvise WinSSHD\WinSSHD.exe" [5755088 2012-05-02] (Bitvise)
    2 WinVNC4; "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service [2360048 2011-08-18] (RealVNC Ltd)
    3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

    ========================== Drivers (Whitelisted) =============

    3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
    3 MRxDAV; C:\Windows\SysWow64\Drivers\MRxDAV.sys [115712 2010-11-20] (Microsoft Corporation)
    0 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
    1 skzbcqnm; C:\Windows\System32\Drivers\skzbcqnm.sys [50392 2012-06-28] (Microsoft Corporation)
    3 storvsp; C:\Windows\System32\Drivers\storvsp.sys [120320 2011-12-01] (Microsoft Corporation)
    3 Vid; C:\Windows\System32\Drivers\Vid.sys [181760 2010-11-20] (Microsoft Corporation)
    3 vncmirror; C:\Windows\System32\Drivers\vncmirror.sys [4608 2011-08-18] (RealVNC Ltd.)

    ========================== NetSvcs (Whitelisted) ===========

    NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

    ============ One Month Created Files and Folders ==============

    2012-06-28 09:54 - 2012-06-28 09:54 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\skzbcqnm.sys
    2012-06-28 09:54 - 2012-06-28 09:54 - 00000000 ____D C:\Windows\System32\MpEngineStore
    2012-06-28 08:39 - 2012-06-28 08:39 - 00000000 ____D C:\Program Files (x86)\WinSCP
    2012-06-28 08:38 - 2012-06-28 08:38 - 03390816 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp438setup-sponsored.exe
    2012-06-28 08:37 - 2008-11-27 12:05 - 00002719 ____A C:\Users\Administrator\Documents\ML.ppk
    2012-06-28 07:02 - 2012-06-28 07:02 - 00000000 ____D C:\Program Files\ESET
    2012-06-28 07:01 - 2012-06-28 07:01 - 01018311 ____A
    2012-06-28 06:47 - 2012-06-28 06:48 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
    2012-06-28 06:47 - 2012-06-28 06:48 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
    2012-06-28 06:46 - 2012-06-28 06:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\Administrator\Downloads\spybotsd162.exe
    2012-06-28 06:40 - 2012-06-28 06:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D518A6B492EF0B01
    2012-06-28 06:22 - 2012-06-28 06:22 - 00000000 ____D C:\WINSSLog
    2012-06-28 06:21 - 2012-06-28 06:21 - 00756776 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\OneCareCleanup.exe
    2012-06-28 06:18 - 2012-06-28 06:18 - 00689664 ____A C:\Users\Administrator\Downloads\MicrosoftFixit50202.msi
    2012-06-28 06:12 - 2012-06-28 06:25 - 00000000 ____D C:\Windows\System32\FxsTmp
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\FxsTmp
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\clients
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\addins
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-28 06:05 - 2012-04-04 11:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-28 06:04 - 2012-06-28 06:04 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.61.0.1400.exe
    2012-06-28 06:02 - 2012-06-28 06:04 - 71499296 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\msert.exe
    2012-06-28 05:14 - 2012-06-28 05:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-06-28 05:14 - 2012-06-28 05:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-28 05:14 - 2012-06-28 05:14 - 00000000 ____D C:\Windows\System32\Macromed
    2012-06-27 20:44 - 2012-06-27 20:44 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2012-06-13 23:02 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-13 23:02 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-13 23:02 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-13 23:02 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-13 23:02 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-13 23:02 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-13 23:02 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-13 23:02 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-13 23:02 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-13 23:02 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-13 23:02 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-13 23:02 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-13 23:02 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-13 23:02 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-13 23:02 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-13 23:02 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-13 23:02 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-13 23:02 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-13 23:02 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-13 23:02 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-13 23:02 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-13 23:02 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-13 23:02 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-13 23:02 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-13 23:02 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-13 23:02 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-13 23:02 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-13 23:02 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-13 13:44 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-13 13:44 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-06-13 13:44 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-06-13 13:44 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-06-13 13:44 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-06-13 13:44 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-06-13 13:44 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-06-13 13:44 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-06-13 07:23 - 2012-06-13 07:23 - 00000000 ___AH C:\Users\mil\Documents\Default.rdp
    2012-06-08 17:25 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-08 17:25 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-08 17:25 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-08 17:25 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-08 17:25 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-08 17:25 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-08 17:25 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-08 17:25 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-08 17:25 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-06 23:00 - 2012-06-06 23:00 - 00290864 ____A C:\Windows\msxml4-KB954430-enu.LOG
    2012-06-06 23:00 - 2012-06-06 23:00 - 00288246 ____A C:\Windows\msxml4-KB973688-enu.LOG
    2012-06-06 23:00 - 2012-06-06 23:00 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
    2012-06-05 16:20 - 2012-06-05 16:20 - 00001488 ____A C:\Users\mil\Desktop\steve.ppk
    2012-06-05 09:46 - 2012-06-05 09:46 - 00000101 ____A C:\Users\Administrator\AppData\Local\fusioncache.dat
    2012-06-05 09:46 - 2012-06-05 09:46 - 00000000 ____A C:\Windows\regset.INI
    2012-06-05 09:38 - 2012-06-05 09:38 - 00000000 ____D C:\MetaStock Data
    2012-06-05 09:38 - 2006-04-06 05:28 - 00671835 ____A (Equis International) C:\Windows\SysWOW64\OLVI92.dll
    2012-06-05 09:38 - 2006-04-06 05:20 - 00036864 ____A (Equis International) C:\Windows\SysWOW64\EqCCWrapper.dll
    2012-06-05 09:38 - 2006-04-06 05:15 - 00204872 ____A (Equis International) C:\Windows\SysWOW64\msfl92.dll
    2012-06-05 09:38 - 2006-04-06 04:59 - 00217166 ____A (Equis International) C:\Windows\SysWOW64\EqNotify.dll
    2012-06-05 09:38 - 2006-04-06 04:30 - 00207360 ____A (LEAD Technologies, Inc.) C:\Windows\SysWOW64\LTKRN61N.DLL
    2012-06-05 09:38 - 2006-04-06 04:30 - 00158720 ____A C:\Windows\SysWOW64\LFCMP61N.DLL
    2012-06-05 09:38 - 2006-04-06 04:30 - 00110080 ____A C:\Windows\SysWOW64\Lfpng61n.dll
    2012-06-05 09:38 - 2006-04-06 04:30 - 00043008 ____A C:\Windows\SysWOW64\LTFIL61N.DLL
    2012-06-05 09:38 - 2002-02-27 23:03 - 02586112 ____N (Steema Software SL) C:\Windows\SysWOW64\TeeChart5.ocx
    2012-06-05 09:38 - 2002-02-03 23:43 - 00044544 ____N (Microsoft Corporation) C:\Windows\SysWOW64\msxml4a.dll
    2012-06-05 09:38 - 1999-12-02 15:26 - 00030720 ____N (Forefront, Incorporated) C:\Windows\SysWOW64\ffJmpWeb.dll
    2012-06-05 09:38 - 1999-04-15 11:58 - 00017920 ____N C:\Windows\SysWOW64\IMPLODE.DLL
    2012-06-05 09:38 - 1998-12-17 06:30 - 00164864 ____N C:\Windows\SysWOW64\patchw32.dll
    2012-06-05 09:38 - 1998-12-10 14:00 - 00519680 ____N (FarPoint Technologies, Inc.) C:\Windows\SysWOW64\SS32D25.DLL
    2012-06-05 09:38 - 1998-05-07 11:01 - 00028160 ____N (Equis International) C:\Windows\SysWOW64\MetaStockShellExtension.dll
    2012-06-05 09:38 - 1996-09-12 13:18 - 00017920 ____N C:\Windows\SysWOW64\MSWTHK32.DLL
    2012-06-05 09:38 - 1996-09-12 13:18 - 00003360 ____N C:\Windows\SysWOW64\MSWTHK16.DLL
    2012-06-05 09:32 - 2012-06-05 09:38 - 00000000 ____D C:\Program Files (x86)\Equis
    2012-06-05 09:32 - 2012-06-05 09:32 - 00002032 ____A C:\Users\Public\Desktop\QuoteCenter.lnk
    2012-06-05 09:32 - 1998-10-02 16:00 - 00327168 ____A (InstallShield Software Corporation) C:\Windows\IsUninst.exe
    2012-06-05 09:24 - 2012-06-05 09:30 - 254958592 ____A C:\Users\Administrator\Downloads\MSQuoteCenter92ProBundle.exe
    2012-06-05 08:39 - 2012-06-05 08:39 - 00000000 ____D C:\Users\574311\AppData\Local\Reuters
    2012-06-05 08:20 - 2012-06-13 07:08 - 00000600 ____A C:\Users\mil\AppData\Local\PUTTY.RND
    2012-06-05 08:14 - 2012-06-05 08:14 - 00001482 ____A C:\Users\mil\Desktop\mil.ppk
    2012-06-05 06:47 - 2012-06-05 06:47 - 00109648 ____A C:\Users\nova\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000020 ___SH C:\Users\nova\ntuser.ini
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\Users\nova\AppData\Local\VirtualStore
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\users\nova
    2012-06-04 05:54 - 2012-06-04 05:54 - 00002591 ____A C:\Users\Administrator\Downloads\admin_console_webstart.jnlp
    2012-06-04 05:22 - 2012-06-04 05:22 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker Pro Advanced
    2012-06-04 05:18 - 2012-06-04 05:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\FileMaker
    2012-06-04 05:17 - 2012-06-04 05:17 - 00000000 ____D C:\Users\Administrator\Downloads\FMaker base 120601
    2012-06-04 05:15 - 2012-06-04 05:15 - 05272019 ____A C:\Users\Administrator\Downloads\FMaker base 120601.rar


    ============ 3 Months Modified Files and Folders =============

    2012-06-29 09:23 - 2012-06-29 09:23 - 00000000 ____D C:\FRST
    2012-06-29 05:16 - 2012-04-27 21:02 - 01648170 ____A C:\Windows\WindowsUpdate.log
    2012-06-29 04:55 - 2012-04-27 22:50 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963425265-891932126-2020456833-500UA.job
    2012-06-28 22:55 - 2012-04-27 22:50 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963425265-891932126-2020456833-500Core.job
    2012-06-28 12:12 - 2012-05-28 09:09 - 00000600 ____A C:\Users\Administrator\AppData\Roaming\winscp.rnd
    2012-06-28 12:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
    2012-06-28 09:54 - 2012-06-28 09:54 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\skzbcqnm.sys
    2012-06-28 09:54 - 2012-06-28 09:54 - 00000000 ____D C:\Windows\System32\MpEngineStore
    2012-06-28 08:39 - 2012-06-28 08:39 - 00000000 ____D C:\Program Files (x86)\WinSCP
    2012-06-28 08:38 - 2012-06-28 08:38 - 03390816 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp438setup-sponsored.exe
    2012-06-28 07:09 - 2012-06-28 06:47 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
    2012-06-28 07:02 - 2012-06-28 07:02 - 00000000 ____D C:\Program Files\ESET
    2012-06-28 06:48 - 2012-06-28 06:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
    2012-06-28 06:48 - 2009-07-13 21:10 - 00831824 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-06-28 06:47 - 2009-07-13 20:49 - 00025056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-06-28 06:47 - 2009-07-13 20:49 - 00025056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-06-28 06:46 - 2012-06-28 06:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\Administrator\Downloads\spybotsd162.exe
    2012-06-28 06:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
    2012-06-28 06:42 - 2012-05-02 08:44 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
    2012-06-28 06:41 - 2009-07-13 21:06 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-06-28 06:40 - 2012-06-28 06:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D518A6B492EF0B01
    2012-06-28 06:25 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\System32\FxsTmp
    2012-06-28 06:25 - 2010-11-20 19:47 - 00010984 ____A C:\Windows\PFRO.log
    2012-06-28 06:22 - 2012-06-28 06:22 - 00000000 ____D C:\WINSSLog
    2012-06-28 06:21 - 2012-06-28 06:21 - 00756776 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\OneCareCleanup.exe
    2012-06-28 06:18 - 2012-06-28 06:18 - 00689664 ____A C:\Users\Administrator\Downloads\MicrosoftFixit50202.msi
    2012-06-28 06:16 - 2011-12-07 05:28 - 00840662 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\FxsTmp
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\clients
    2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\addins
    2012-06-28 06:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
    2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-28 06:04 - 2012-06-28 06:04 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.61.0.1400.exe
    2012-06-28 06:04 - 2012-06-28 06:02 - 71499296 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\msert.exe
    2012-06-28 05:58 - 2012-04-28 08:34 - 00002170 ____A C:\Windows\epplauncher.mif
    2012-06-28 05:53 - 2009-07-13 21:07 - 00000000 ____D C:\Windows\System32\ServerManager
    2012-06-28 05:14 - 2012-06-28 05:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-06-28 05:14 - 2012-06-28 05:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-06-28 05:14 - 2012-06-28 05:14 - 00000000 ____D C:\Windows\System32\Macromed
    2012-06-27 20:44 - 2012-06-27 20:44 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2012-06-27 04:13 - 2012-05-29 04:06 - 00000000 ____D C:\ua
    2012-06-15 08:57 - 2012-05-24 11:09 - 00002002 ___AH C:\Users\Administrator\Documents\Default.rdp
    2012-06-13 23:23 - 2009-07-13 20:49 - 00408248 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-13 23:03 - 2011-12-07 03:41 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-13 07:44 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
    2012-06-13 07:23 - 2012-06-13 07:23 - 00000000 ___AH C:\Users\mil\Documents\Default.rdp
    2012-06-13 07:08 - 2012-06-05 08:20 - 00000600 ____A C:\Users\mil\AppData\Local\PUTTY.RND
    2012-06-12 05:17 - 2012-04-27 22:50 - 00002334 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
    2012-06-06 23:00 - 2012-06-06 23:00 - 00290864 ____A C:\Windows\msxml4-KB954430-enu.LOG
    2012-06-06 23:00 - 2012-06-06 23:00 - 00288246 ____A C:\Windows\msxml4-KB973688-enu.LOG
    2012-06-06 23:00 - 2012-06-06 23:00 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
    2012-06-06 17:57 - 2012-05-28 12:27 - 00000284 ____A C:\Windows\ODBC.INI
    2012-06-05 16:20 - 2012-06-05 16:20 - 00001488 ____A C:\Users\mil\Desktop\steve.ppk
    2012-06-05 13:22 - 2012-05-28 12:04 - 00000000 ____D C:\Users\574311\AppData\Local\VirtualStore
    2012-06-05 09:46 - 2012-06-05 09:46 - 00000101 ____A C:\Users\Administrator\AppData\Local\fusioncache.dat
    2012-06-05 09:46 - 2012-06-05 09:46 - 00000000 ____A C:\Windows\regset.INI
    2012-06-05 09:38 - 2012-06-05 09:38 - 00000000 ____D C:\MetaStock Data
    2012-06-05 09:38 - 2012-06-05 09:32 - 00000000 ____D C:\Program Files (x86)\Equis
    2012-06-05 09:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Registration
    2012-06-05 09:32 - 2012-06-05 09:32 - 00002032 ____A C:\Users\Public\Desktop\QuoteCenter.lnk
    2012-06-05 09:30 - 2012-06-05 09:24 - 254958592 ____A C:\Users\Administrator\Downloads\MSQuoteCenter92ProBundle.exe
    2012-06-05 08:39 - 2012-06-05 08:39 - 00000000 ____D C:\Users\574311\AppData\Local\Reuters
    2012-06-05 08:14 - 2012-06-05 08:14 - 00001482 ____A C:\Users\mil\Desktop\mil.ppk
    2012-06-05 06:47 - 2012-06-05 06:47 - 00109648 ____A C:\Users\nova\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000020 ___SH C:\Users\nova\ntuser.ini
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\Users\nova\AppData\Local\VirtualStore
    2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\users\nova
    2012-06-04 05:54 - 2012-06-04 05:54 - 00002591 ____A C:\Users\Administrator\Downloads\admin_console_webstart.jnlp
    2012-06-04 05:22 - 2012-06-04 05:22 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker Pro Advanced
    2012-06-04 05:18 - 2012-06-04 05:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\FileMaker
    2012-06-04 05:17 - 2012-06-04 05:17 - 00000000 ____D C:\Users\Administrator\Downloads\FMaker base 120601
    2012-06-04 05:15 - 2012-06-04 05:15 - 05272019 ____A C:\Users\Administrator\Downloads\FMaker base 120601.rar
    2012-06-02 14:19 - 2012-06-08 17:25 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-08 17:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-08 17:25 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-08 17:25 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-08 17:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-08 17:25 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-08 17:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 11:19 - 2012-06-08 17:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:15 - 2012-06-08 17:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-05-31 12:14 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Windows\CSC
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Portable Devices
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Photo Viewer
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Defender
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
    2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Defender
    2012-05-29 23:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system
    2012-05-29 23:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
    2012-05-29 06:12 - 2012-05-29 06:12 - 00000000 ____D C:\Users\mil\.swiskeyexecution
    2012-05-29 06:12 - 2012-05-29 04:28 - 00000000 ____D C:\users\mil
    2012-05-29 06:08 - 2012-05-29 06:08 - 00001542 ____A C:\Users\mil\Desktop\certif.pfx
    2012-05-29 05:51 - 2012-05-29 05:51 - 00000000 ____D C:\Users\Administrator\.swiskeyexecution
    2012-05-29 05:51 - 2012-04-27 21:01 - 00000000 ____D C:\users\Administrator
    2012-05-29 05:46 - 2012-05-29 05:46 - 00002191 ____A C:\Users\Public\Desktop\SwisKey Execution Launcher 1.0.3.lnk
    2012-05-29 05:46 - 2012-05-29 05:46 - 00000000 ____D C:\Program Files (x86)\SwisKey Execution (EXTERNAL)
    2012-05-29 05:20 - 2012-05-29 05:20 - 00000000 ____A C:\Users\mil\Desktop\SKELauncher_exe.zc8itrk.partial
    2012-05-29 04:28 - 2012-05-29 04:28 - 00109648 ____A C:\Users\mil\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-29 04:28 - 2012-05-29 04:28 - 00000020 ___SH C:\Users\mil\ntuser.ini
    2012-05-29 04:28 - 2012-05-29 04:28 - 00000000 ____D C:\Users\mil\AppData\Local\VirtualStore
    2012-05-29 04:16 - 2012-05-29 04:16 - 00001650 ____A C:\Users\Administrator\Desktop\CSI EZ Downloader.lnk
    2012-05-29 04:16 - 2012-05-29 04:16 - 00001645 ____A C:\Users\Administrator\Desktop\CSI Position Manager.lnk
    2012-05-29 04:16 - 2012-05-29 04:16 - 00001601 ____A C:\Users\Administrator\Desktop\Launch UA.lnk
    2012-05-29 04:16 - 2012-05-29 04:06 - 00011894 ____A C:\Windows\SysWOW64\uainstalldll.log
    2012-05-29 04:06 - 2012-05-29 04:06 - 00000029 ____A C:\Windows\ua.ini
    2012-05-28 16:41 - 2012-05-28 15:15 - 2020993004 ____A C:\Users\Administrator\Downloads\Ua2107SCO.exe
    2012-05-28 12:04 - 2012-05-28 12:04 - 00109648 ____A C:\Users\574311\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-28 12:04 - 2012-05-28 12:04 - 00000020 ___SH C:\Users\574311\ntuser.ini
    2012-05-28 12:04 - 2012-05-28 12:04 - 00000000 ____D C:\users\574311
    2012-05-28 09:08 - 2012-05-28 09:08 - 03401768 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp507setup.exe
    2012-05-27 18:04 - 2012-05-27 18:04 - 00000000 ____D C:\Users\Administrator\Desktop\Cl├ęs Award
    2012-05-17 18:47 - 2012-06-13 23:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-13 23:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-13 23:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-13 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-13 23:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-13 23:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-13 23:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-13 23:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-13 23:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-13 23:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-13 23:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-13 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-13 23:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-13 23:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-13 23:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-13 23:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-13 23:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-13 23:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-13 23:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-13 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-13 23:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-13 23:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-13 23:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-13 23:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-13 23:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-13 23:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-13 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-13 23:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-16 21:10 - 2012-05-16 21:10 - 00000020 __ASH C:\Users\Classic .NET AppPool\ntuser.ini
    2012-05-16 21:10 - 2012-05-16 21:10 - 00000000 ____D C:\users\Classic .NET AppPool
    2012-05-16 21:10 - 2012-05-16 21:09 - 00082771 ____A C:\Windows\iis7.log
    2012-05-16 21:08 - 2012-05-16 21:08 - 00000000 ____D C:\Windows\SysWOW64\BestPractices
    2012-05-16 21:08 - 2012-05-16 21:08 - 00000000 ____D C:\inetpub
    2012-05-16 21:08 - 2010-11-20 21:45 - 00000000 ____D C:\Windows\System32\0409
    2012-05-16 21:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
    2012-05-16 20:52 - 2012-05-16 20:52 - 00000020 ___SH C:\Users\WinSSHD_VirtualUsers\ntuser.ini
    2012-05-16 20:48 - 2012-05-16 20:49 - 00000814 ____A C:\Users\Administrator\Desktop\MLPub
    2012-05-16 20:46 - 2012-05-16 20:46 - 00000000 ____D C:\Program Files (x86)\PuTTY
    2012-05-16 20:45 - 2012-05-16 20:45 - 01857592 ____A (Simon Tatham ) C:\Users\Administrator\Downloads\putty-2012-05-17-installer.exe
    2012-05-16 20:45 - 2012-05-16 20:45 - 01849240 ____A (Simon Tatham ) C:\Users\Administrator\Downloads\putty-0.62-installer.exe
    2012-05-14 17:32 - 2012-06-13 13:44 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-05-04 03:06 - 2012-06-13 13:44 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-05-04 02:03 - 2012-06-13 13:44 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2012-05-04 02:03 - 2012-06-13 13:44 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2012-05-03 08:16 - 2009-07-13 20:56 - 00026787 ____A C:\Windows\setupact.log
    2012-05-02 19:52 - 2012-05-02 19:50 - 00000000 ____D C:\Program Files (x86)\Bitvise WinSSHD
    2012-05-02 19:49 - 2012-05-02 19:49 - 00000000 ____D C:\Windows\System32\appmgmt
    2012-05-02 19:48 - 2012-05-02 19:48 - 05493488 ____A C:\Users\Administrator\Downloads\WinSSHD5-Inst.exe
    2012-05-02 18:54 - 2012-05-02 18:54 - 05073240 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\vcredist_x86.exe
    2012-05-02 18:53 - 2012-05-02 18:53 - 05718872 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\vcredist_x64.exe
    2012-05-02 18:53 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2012-05-02 18:50 - 2012-05-02 18:50 - 00000000 ____D C:\Program Files\VanDyke Software
    2012-05-02 18:49 - 2012-05-02 18:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Downloaded Installations
    2012-05-02 18:40 - 2012-05-02 18:40 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
    2012-05-02 18:40 - 2012-05-02 18:40 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
    2012-05-02 18:40 - 2012-05-02 18:40 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
    2012-05-02 18:40 - 2012-05-02 18:40 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
    2012-05-02 18:40 - 2012-05-02 18:40 - 00000000 ____D C:\Sun
    2012-05-02 18:40 - 2012-05-02 18:40 - 00000000 ____D C:\Program Files (x86)\Java
    2012-05-02 18:40 - 2012-05-02 10:15 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
    2012-05-02 18:29 - 2012-05-02 08:44 - 00000000 ____D C:\Windows\AutoKMS
    2012-05-02 18:20 - 2012-05-02 18:20 - 00000000 ____D C:\Program Files\RealVNC
    2012-05-02 18:17 - 2012-05-02 18:17 - 06038200 ____A (RealVNC Ltd ) C:\Users\Administrator\Downloads\vnc-E4_6_3-x86_x64_win32.exe
    2012-05-02 18:14 - 2012-05-02 18:14 - 00741744 ____A (RealVNC Ltd. ) C:\Users\Administrator\Downloads\vnc-4_1_3-x86_win32.exe
    2012-05-02 18:12 - 2012-05-02 18:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Leadertech
    2012-05-02 18:10 - 2012-05-02 18:10 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker
    2012-05-02 18:10 - 2012-05-02 17:57 - 00000000 ____D C:\Program Files (x86)\FileMaker
    2012-05-02 18:03 - 2012-04-27 21:02 - 00109648 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-05-02 17:58 - 2012-05-02 17:58 - 00002505 ____A C:\Users\Administrator\Downloads\admin_console_init_webstart.jnlp
    2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Users\All Users\Apple
    2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Program Files\Bonjour
    2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Program Files (x86)\Bonjour
    2012-05-02 10:15 - 2012-05-02 10:15 - 00000000 ____D C:\Users\All Users\Sun
    2012-05-02 07:50 - 2012-05-02 07:43 - 00000000 ____D C:\Users\All Users\Microsoft Help
    2012-05-02 07:46 - 2012-05-02 07:46 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
    2012-05-02 07:46 - 2012-05-02 07:43 - 00000000 ____D C:\Windows\SHELLNEW
    2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Windows\PCHEALTH
    2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Program Files\Microsoft Sync Framework
    2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Program Files (x86)\MSBuild
    2012-05-02 07:45 - 2012-05-02 07:43 - 00000000 ____D C:\Program Files\Microsoft Office
    2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
    2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
    2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
    2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 __RHD C:\MSOCache
    2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
    2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
    2012-04-28 09:46 - 2012-04-28 07:55 - 00001318 ____A C:\Windows\ntbackup.ini
    2012-04-28 07:58 - 2005-07-01 08:34 - 00000000 ____D C:\C
    2012-04-28 07:56 - 2012-04-28 07:56 - 00000000 ____D C:\Users\All Users\Microsoft Forefront
    2012-04-28 07:54 - 2012-04-28 07:54 - 00684193 ____A C:\Users\Administrator\Downloads\Windows6.1-KB974674-x64.msu
    2012-04-28 07:50 - 2012-04-28 07:50 - 00907264 ____A C:\Users\Administrator\Downloads\NtBackupRestore_Win64.msi
    2012-04-28 07:50 - 2012-04-28 07:50 - 00000000 ____D C:\Users\All Users\Windows Genuine Advantage
    2012-04-28 07:49 - 2012-04-28 07:49 - 01528184 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\GenuineCheck.exe
    2012-04-28 07:30 - 2012-04-28 07:30 - 00000000 ____D C:\Program Files (x86)\Elaborate Bytes
    2012-04-28 07:29 - 2012-04-28 07:29 - 01587696 ____A C:\Users\Administrator\Downloads\SetupVirtualCloneDrive5.exe
    2012-04-28 00:56 - 2009-07-13 21:42 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
    2012-04-28 00:56 - 2009-07-13 21:37 - 00262144 ____A C:\Windows\System32\config\BCD-Template
    2012-04-27 23:06 - 2012-04-27 23:06 - 00000000 ____D C:\Program Files\7-Zip
    2012-04-27 23:05 - 2012-04-27 23:05 - 01376768 ____A C:\Users\Administrator\Downloads\7z920-x64.msi
    2012-04-27 23:00 - 2012-04-27 23:00 - 00000000 ____D C:\Program Files (x86)\Dell Wireless
    2012-04-27 23:00 - 2012-04-27 21:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2012-04-27 22:55 - 2012-04-27 21:23 - 00000000 ____D C:\Program Files (x86)\Intel
    2012-04-27 22:54 - 2012-04-27 22:54 - 04176888 ____A C:\Users\Administrator\Downloads\Intel_Management-Engine-Inte_A01_R301322.exe
    2012-04-27 22:53 - 2012-04-27 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
    2012-04-27 22:53 - 2012-04-27 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
    2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
    2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Deployment
    2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Apps\2.0
    2012-04-27 22:46 - 2012-04-27 22:46 - 00000000 ____A C:\Users\Administrator\Downloads\ChromeSetup_exe.u1wqa93.partial
    2012-04-27 21:32 - 2012-04-27 21:32 - 00000000 ____D C:\Program Files (x86)\Realtek
    2012-04-27 21:23 - 2012-04-27 21:23 - 00000000 ____D C:\Intel
    2012-04-27 21:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-04-27 21:13 - 2012-04-27 21:13 - 00000000 ____D C:\Users\All Users\Dell
    2012-04-27 21:13 - 2012-04-27 21:13 - 00000000 ____D C:\dell
    2012-04-27 21:01 - 2012-04-27 21:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
    2012-04-27 21:00 - 2011-12-07 03:34 - 00000000 __SHD C:\Recovery
    2012-04-27 21:00 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
    2012-04-27 20:59 - 2011-12-07 03:30 - 00003652 ____A C:\Windows\TSSysprep.log
    2012-04-27 20:59 - 2011-12-07 03:27 - 00000000 ____D C:\Windows\Panther
    2012-04-27 20:59 - 2009-07-13 20:59 - 00049607 ____A C:\Windows\SysWOW64\license.rtf
    2012-04-27 20:59 - 2009-07-13 20:59 - 00049607 ____A C:\Windows\System32\license.rtf
    2012-04-27 20:59 - 2009-07-13 20:49 - 00004059 ____A C:\Windows\DtcInstall.log
    2012-04-27 19:55 - 2012-06-13 13:44 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-04-25 21:41 - 2012-06-13 13:44 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-04-25 21:41 - 2012-06-13 13:44 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-04-25 21:34 - 2012-06-13 13:44 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-04-12 10:45 - 2012-04-12 10:45 - 00252304 ____A (VanDyke Software, Inc.) C:\Windows\System32\vdspka10.dll
    2012-04-04 11:56 - 2012-06-28 06:05 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

    ZeroAccess:
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\00000004.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\201d3dde
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\55490ac4
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000004.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000008.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\000000cb.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000000.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000032.@
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000064.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 4008.64 MB
    Available physical RAM: 3430.57 MB
    Total Pagefile: 4006.84 MB
    Available Pagefile: 3419.27 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:488.28 GB) (Free:459.42 GB) NTFS
    2 Drive d: () (Fixed) (Total:0.04 GB) (Free:0.04 GB) FAT
    3 Drive f: () (Fixed) (Total:428.38 GB) (Free:301.35 GB) NTFS
    6 Drive I: () (Removable) (Total:15.01 GB) (Free:14.6 GB) FAT32
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    8 Drive y: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.85 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 15 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 39 MB 31 KB
    Partition 2 Primary 14 GB 40 MB
    Partition 3 Primary 488 GB 14 GB
    Partition 4 Primary 428 GB 503 GB

    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D FAT Partition 39 MB Healthy

    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 Y RECOVERY NTFS Partition 14 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 488 GB Healthy

    ======================================================================================================

    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F NTFS Partition 428 GB Healthy

    ======================================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 15 GB 31 KB

    ======================================================================================================

    Disk: 2
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 I FAT32 Removable 15 GB Healthy

    ======================================================================================================

    ==========================================================

    Last Boot: 2012-06-27 20:44

    ======================= End Of Log ==========================

    Here is the result of search for services.exe:

    Farbar Recovery Scan Tool Version: 28-06-2012 02
    Ran by SYSTEM at 2012-06-29 09:24:38
    Running from I:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

    ====== End Of Search ======
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  3. despe666

    despe666 TS Rookie Topic Starter

    Hello. Here is the fixlog file. I was unable to run combofix, I'm getting a message that it is not meant for servers (this is a Windows 2008r2 box). Thanks

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 28-06-2012 02
    Ran by SYSTEM at 2012-06-29 16:28:02 Run:1
    Running from H:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
    C:\Windows\System32\consrv.dll not found.
    skzbcqnm service deleted successfully.
    C:\Windows\System32\Drivers\skzbcqnm.sys not found.
    C:\Windows\System32\services.exe.D518A6B492EF0B01 moved successfully.
    C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb} moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    That's a bit of a problem because we don't have too many tools for servers.

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
     
  5. despe666

    despe666 TS Rookie Topic Starter

    Here's the MBAM log:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.30.01

    Windows Server 2008 R2 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Administrator :: SERVEURAOP [administrator]

    30/06/2012 1:23:26 AM
    mbam-log-2012-06-30 (01-23-26).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 305642
    Time elapsed: 1 minute(s), 30 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  7. despe666

    despe666 TS Rookie Topic Starter

    Results of screen317's Security Check version 0.99.24
    x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Spybot - Search & Destroy
    Java(TM) 6 Update 32
    Out of date Java installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````
     
  8. despe666

    despe666 TS Rookie Topic Starter

    Farbar Service Scanner Version: 25-06-2012 01
    Ran by Administrator (administrator) on 01-07-2012 at 00:26:14
    Running from "C:\Users\Administrator\Downloads"
    Microsoft Windows Server 2008 R2 Enterprise Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.
    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
    bfe Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
    Firewall Disabled Policy:
    ==================
    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
    System Restore Disabled Policy:
    ========================
    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================
    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.
    C:\Windows\System32\vssvc.exe => MD5 is legit
    ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    **** End of log ****
     
  9. despe666

    despe666 TS Rookie Topic Starter

    C:\FRST\Quarantine\services.exeWin64/Patched.A.Gen trojandeleted - quarantined
    C:\FRST\Quarantine\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000008.@Win64/Agent.BA trojancleaned by deleting - quarantined
    C:\FRST\Quarantine\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000000.@Win64/Sirefef.AE trojancleaned by deleting - quarantined
    D:\Mil\My Documents\My Received Files\flash 5.zipprobably a variant of Win32/Agent.NJOBVXP trojandeleted - quarantined
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =====================================================

    Now....we have some system files and some registry keys missing.

    Let's start with files...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      wscsvc.dll
      SDRSVC.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. despe666

    despe666 TS Rookie Topic Starter

    SystemLook 30.07.11 by jpshortstuff
    Log created at 01:18 on 02/07/2012 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "wscsvc.dll"
    No files found.

    Searching for "SDRSVC.dll"
    No files found.

    -= EOF =-
     
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Do you have Windows CD for your OS?
     
  13. despe666

    despe666 TS Rookie Topic Starter

    Yes I do
     
  14. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Search that DVD for those two missing files:
    wscsvc.dll
    SDRSVC.dll

    They're probably compressed so search for:

    wscsvc.*
    SDRSVC.*
     
  15. despe666

    despe666 TS Rookie Topic Starter

    I couldn't find either file on the DVD. I ran FSS on another Windows 2008 r2 box that is clean as far as I know and the same files were missing.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I see.
    I'm not very familiar with server OS.
    Possibly my tools (mostly designed for regular Windows versions) are misreading something.

    Are you having any current issues?
     
  17. despe666

    despe666 TS Rookie Topic Starter

    It looks good for now. My Windows Firewall installation was wiped but I was able to restore it. I was also able to reinstall my AV software (Forefront), which failed when I was infected. It updated and scanned and found nothing.

    Thank you very much for your help.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Make sure you reset restore points.
    Turn system restore off.
    Restart computer.
    Turn system restore on.

    Way to go!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...