Inactive [A] Another Sirefef - posting frst.txt and search.txt

[billmx]

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-06-2012
Ran by SYSTEM at 21-06-2012 11:00:16
Running from G:\
Windows Vista (TM) Home Basic Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [150040 2008-06-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [170520 2008-06-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [145944 2008-06-25] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe" [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [431456 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [505720 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [716800 2008-05-09] (TOSHIBA Corporation)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [cfFncEnabler.exe] cfFncEnabler.exe [x]
HKLM\...\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\TSS.exe" /hide [1242424 2008-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-24] (Google)
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\bill\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Emma\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2008-04-24] (TOSHIBA)
HKU\Emma\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-06] (Google Inc.)
HKU\Larry\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\Larry\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-06] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

================================ Services (Whitelisted) ==================

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-20] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [164600 2008-05-28] (WildTangent, Inc.)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-24] (Google)
3 msiserver; C:\Windows\System32\msiexec.exe /V [73216 2009-04-10] (Microsoft Corporation)
3 SstpSvc; C:\Windows\System32\sstpsvc.dll [116736 2008-01-20] (Microsoft Corporation)
2 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [46392 2008-08-04] (TOSHIBA Corporation)
2 TNaviSrv; C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-07-18] (TOSHIBA Corporation)
3 UI0Detect; C:\Windows\System32\UI0Detect.exe [35840 2008-01-20] (Microsoft Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1161888 2006-11-28] (Agere Systems)
0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
3 FwLnk; C:\Windows\System32\DRIVERS\FwLnk.sys [7168 2006-11-20] (TOSHIBA Corporation)
1 jswpslwf; C:\Windows\System32\DRIVERS\jswpslwf.sys [20384 2008-04-28] (Atheros Communications, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [62976 2008-04-02] (Realtek Semiconductor Corp.)
0 tos_sps32; C:\Windows\System32\DRIVERS\tos_sps32.sys [279376 2008-07-18] (TOSHIBA Corporation)
0 TVALZ; C:\Windows\System32\DRIVERS\TVALZ_O.SYS [23640 2007-11-09] (TOSHIBA Corporation)
3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-21 06:27 - 2012-06-21 06:39 - 00260558 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-06-21 06:25 - 2012-06-21 06:48 - 00292886 ____A C:\Windows\System32\PHOOKSmf.txt
2012-06-21 06:16 - 2012-06-21 06:48 - 00000000 ____D C:\Windows\System32\DBBK
2012-06-21 06:16 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-06-21 06:16 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-06-21 06:16 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-06-21 06:16 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-06-21 06:16 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-06-21 06:16 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-06-21 06:16 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-06-21 06:15 - 2012-06-21 06:39 - 00153520 ____A C:\Users\bill\Desktop\yorkyt.exe.log
2012-06-21 06:13 - 2012-06-21 06:11 - 68524064 ____A (Microsoft Corporation) C:\Users\bill\Desktop\msert.exe
2012-06-21 06:13 - 2012-06-21 06:09 - 01415784 ____A C:\Users\bill\Desktop\yorkyt.exe
2012-06-21 05:48 - 2012-06-21 05:58 - 00000402 ____A C:\rkill.log
2012-06-21 05:24 - 2012-06-21 05:28 - 00000000 ___SD C:\32788R22FWJFW
2012-06-21 05:24 - 2012-06-21 05:24 - 00000000 ___SD C:\wjmrepair
2012-06-21 05:24 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-21 05:24 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-21 05:24 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-21 05:24 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-21 05:24 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-21 05:24 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-21 05:24 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-21 05:24 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-21 05:16 - 2012-06-21 05:11 - 04563474 ____R (Swearware) C:\Users\bill\Desktop\wjmrepair.exe
2012-06-21 05:11 - 2012-06-21 05:11 - 00113368 ____A C:\Users\bill\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-21 05:11 - 2012-06-21 05:11 - 00000000 ____D C:\Users\bill\Documents\My Google Gadgets
2012-06-21 05:11 - 2012-06-21 05:11 - 00000000 ____D C:\Users\bill\AppData\Local\Toshiba
2012-06-21 05:10 - 2012-06-21 05:39 - 00000000 ____D C:\Users\bill\AppData\Local\VirtualStore
2012-06-21 05:10 - 2012-06-21 05:10 - 00000020 ___SH C:\Users\bill\ntuser.ini
2012-06-21 05:10 - 2012-06-21 05:10 - 00000000 ____D C:\Users\bill\AppData\Local\Google
2012-06-21 05:10 - 2012-06-21 05:10 - 00000000 ____D C:\users\bill
2012-06-21 05:10 - 2009-11-29 00:02 - 00000000 ____D C:\Users\bill\AppData\Local\Microsoft Help
2012-06-21 05:01 - 2012-06-21 05:24 - 00000000 ___SD C:\ComboFix
2012-06-21 05:01 - 2012-06-21 05:01 - 00000000 ____D C:\Windows\ERDNT
2012-06-21 04:58 - 2012-06-21 05:01 - 00000000 ____D C:\Qoobox
2012-06-15 18:52 - 2012-06-15 18:52 - 00000000 ____D C:\Users\Larry\Documents\tdsskiller[1]
2012-06-14 18:48 - 2012-06-14 18:48 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-06-14 04:12 - 2012-06-14 04:12 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\Larry\Desktop\TDSSKiller.exe
2012-06-13 18:42 - 2012-06-13 18:42 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-13 18:34 - 2012-06-13 18:34 - 00000000 __SHD C:\Windows\System32\%APPDATA%


============ 3 Months Modified Files and Folders ===============

2012-06-21 06:48 - 2012-06-21 06:25 - 00292886 ____A C:\Windows\System32\PHOOKSmf.txt
2012-06-21 06:48 - 2012-06-21 06:16 - 00000000 ____D C:\Windows\System32\DBBK
2012-06-21 06:47 - 2009-10-24 16:13 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-06-21 06:47 - 2009-03-06 07:51 - 02048437 ____A C:\Windows\WindowsUpdate.log
2012-06-21 06:46 - 2010-02-14 19:28 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-21 06:46 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-21 06:46 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-21 06:46 - 2006-11-02 04:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-21 06:39 - 2012-06-21 06:27 - 00260558 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-06-21 06:39 - 2012-06-21 06:15 - 00153520 ____A C:\Users\bill\Desktop\yorkyt.exe.log
2012-06-21 06:11 - 2012-06-21 06:13 - 68524064 ____A (Microsoft Corporation) C:\Users\bill\Desktop\msert.exe
2012-06-21 06:09 - 2012-06-21 06:13 - 01415784 ____A C:\Users\bill\Desktop\yorkyt.exe
2012-06-21 05:58 - 2012-06-21 05:48 - 00000402 ____A C:\rkill.log
2012-06-21 05:48 - 2006-11-02 02:33 - 00706952 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-21 05:39 - 2012-06-21 05:10 - 00000000 ____D C:\Users\bill\AppData\Local\VirtualStore
2012-06-21 05:28 - 2012-06-21 05:24 - 00000000 ___SD C:\32788R22FWJFW
2012-06-21 05:24 - 2012-06-21 05:24 - 00000000 ___SD C:\wjmrepair
2012-06-21 05:24 - 2012-06-21 05:01 - 00000000 ___SD C:\ComboFix
2012-06-21 05:11 - 2012-06-21 05:16 - 04563474 ____R (Swearware) C:\Users\bill\Desktop\wjmrepair.exe
2012-06-21 05:11 - 2012-06-21 05:11 - 00113368 ____A C:\Users\bill\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-21 05:11 - 2012-06-21 05:11 - 00000000 ____D C:\Users\bill\Documents\My Google Gadgets
2012-06-21 05:11 - 2012-06-21 05:11 - 00000000 ____D C:\Users\bill\AppData\Local\Toshiba
2012-06-21 05:10 - 2012-06-21 05:10 - 00000020 ___SH C:\Users\bill\ntuser.ini
2012-06-21 05:10 - 2012-06-21 05:10 - 00000000 ____D C:\Users\bill\AppData\Local\Google
2012-06-21 05:10 - 2012-06-21 05:10 - 00000000 ____D C:\users\bill
2012-06-21 05:01 - 2012-06-21 05:01 - 00000000 ____D C:\Windows\ERDNT
2012-06-21 05:01 - 2012-06-21 04:58 - 00000000 ____D C:\Qoobox
2012-06-19 13:13 - 2006-11-02 04:49 - 00042706 ____A C:\Windows\setupact.log
2012-06-15 18:52 - 2012-06-15 18:52 - 00000000 ____D C:\Users\Larry\Documents\tdsskiller[1]
2012-06-14 18:56 - 2006-11-02 04:58 - 00032588 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-14 18:49 - 2009-03-06 07:12 - 00000000 ____D C:\Program Files\Jumpstart
2012-06-14 18:48 - 2012-06-14 18:48 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-06-14 18:39 - 2010-02-14 19:29 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-14 17:35 - 2006-11-02 04:44 - 00398104 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-14 04:12 - 2012-06-14 04:12 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\Larry\Desktop\TDSSKiller.exe
2012-06-13 18:43 - 2011-02-27 07:26 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-13 18:42 - 2012-06-13 18:42 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-13 18:34 - 2012-06-13 18:34 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-13 18:25 - 2012-04-18 17:50 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-13 18:25 - 2011-09-24 12:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-05-14 09:16 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2012-05-12 19:13 - 2006-11-02 04:35 - 00000000 ____D C:\Windows\System32\XPSViewer
2012-05-11 20:34 - 2009-03-06 06:47 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-11 20:30 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-05-11 20:17 - 2011-07-26 17:08 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-10 17:24 - 2012-05-10 17:24 - 00004964 ____A C:\Users\Larry\Documents\Windows Activation instructions.rtf
2012-05-06 17:31 - 2012-05-06 17:31 - 00000210 ____A C:\Users\Larry\Documents\Med_9.rtf
2012-04-22 18:47 - 2009-05-03 10:38 - 00113368 ____A C:\Users\Emma\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-22 18:47 - 2009-05-03 10:37 - 00000000 ____D C:\Users\Emma\AppData\Local\Google
2012-04-11 23:11 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-04-03 00:16 - 2012-05-11 17:14 - 03602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-11 17:14 - 03550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 05:36 - 2012-05-11 17:14 - 02044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 04:39 - 2012-05-11 17:14 - 00914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 05:39 - 2012-05-11 17:14 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys


ZeroAccess:
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\@
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\L
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\n
C:\Windows\Installer\{26b48154-0abb-b0d4-76a8-de7301767732}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 1915.25 MB
Available physical RAM: 1478.88 MB
Total Pagefile: 1743.8 MB
Available Pagefile: 1530.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.32 MB

======================= Partitions =========================

1 Drive c: (SQ004890V03) (Fixed) (Total:224.2 GB) (Free:157.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
5 Drive g: () (Fixed) (Total:64.76 GB) (Free:62.49 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.02 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 112 GB 37 GB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 224 GB 1501 MB
Partition 3 Primary 7389 MB 226 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SQ004890V03 NTFS Partition 224 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 65 GB 32 KB
Partition 2 Primary 10 GB 65 GB

======================================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G NTFS Partition 65 GB Healthy

======================================================================================================

Disk: 2
Partition 2
Type : 1C
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

==========================================================

Last Boot: 2012-06-13 18:36

======================= End Of Log ==========================


-------------------------------------------------------------------------------------------------------------------------

Farbar Recovery Scan Tool Version: 20-06-2012
Ran by SYSTEM at 2012-06-21 11:02:14
Running from G:\

================== Search: "services.exe;volsnap.sys;winlogon.exe" ===================

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2009-10-24 16:13] - [2009-04-10 22:32] - 0226280 ____A (Microsoft Corporation) 147281C01FCB1DF9252DE2A10D5E7093

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2009-10-24 16:13] - [2009-04-10 22:28] - 0314368 ____A (Microsoft Corporation) 898E7C06A350D4A1A64A9EA264D55452

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
[2008-01-20 18:34] - [2008-01-20 18:34] - 0314880 ____A (Microsoft Corporation) C2610B6BDBEFC053BBDAB4F1B965CB24

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-10-24 16:13] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:34] - [2008-01-20 18:34] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-10-24 16:13] - [2012-06-21 06:47] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

C:\Windows\System32\winlogon.exe
[2009-10-24 16:13] - [2009-04-10 22:28] - 0314368 ____A (Microsoft Corporation) 898E7C06A350D4A1A64A9EA264D55452

C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2006-11-02 02:25] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6

C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys
[2009-10-24 16:13] - [2009-04-10 22:32] - 0226280 ____A (Microsoft Corporation) 147281C01FCB1DF9252DE2A10D5E7093

C:\Windows\System32\drivers\volsnap.sys
[2009-10-24 16:13] - [2009-04-10 22:32] - 0226280 ____A (Microsoft Corporation) 147281C01FCB1DF9252DE2A10D5E7093

C:\Users\bill\AppData\Local\Temp\RarSFX3\winlogon.exe
[2012-06-21 06:03] - [2009-05-26 14:47] - 0031232 ____A (NirSoft) AC6094297CD882B8626466CDEB64F19F

C:\Users\bill\AppData\Local\Temp\RarSFX2\winlogon.exe
[2012-06-21 06:01] - [2009-05-26 14:47] - 0031232 ____A (NirSoft) AC6094297CD882B8626466CDEB64F19F

C:\Users\bill\AppData\Local\Temp\RarSFX0\winlogon.exe
[2012-06-21 05:47] - [2009-05-26 14:47] - 0031232 ____A (NirSoft) AC6094297CD882B8626466CDEB64F19F

=== End Of Search ===

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

See if you can boot normally.

If so....

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!