Inactive [A] Trojan:Win32/Sirefef.AH! constantly reappears and desktop disappearing

Hi.

I have recently joined the forum. Last night I was working using my brother's laptop. It has Windows 7 OS with Microsoft security essentials present. But some how after working for sometime found that a pop window came and showing the following message "WINDOWS HAS ENCOUNTERED A CRITICAL PROBLEM AND WILL RESTART AUTOMATICALLY IN ONE MINUTE. PLEASE SAVE YOUR WORK NOW". After that it is auto restarting and couldnt figure out what to do. Infact the Microsoft security essentials is unable remove the virus.
I feel very sorry for my brother. KINDLY HELP to fix this problem. I am writing this from my laptop which has Windows XP as I am unable to work on the infected laptop.

Regards

S Basu
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
Hi,
Thanks a lot for such quick response. Will follow the instruction and post the details as soon as possible.
 
Broni,
As per your instruction I have downlowded Farbar Recovery Scan Tool 32-Bit and pluged the flash drive into the infected laptop. But I am unable to enter the the System Recovery Options from Advanced Boot Option. A new window opens heading "Windows Boot Manager" and tells that Windows failed to start. A recent hardware or software change might be the cause. to fix the problem
1. Insert your windows installation disc......
2. Choose your language.
3. Click Repair... etc

Now I dont have the Windows Installation Disc or may be we have lost it. What to do?
 
You're doing something wrong.
It looks like your computer is still trying to boot to Windows.

What happens here?
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
 
The date and time settings cannot be changed. Though I took the Scan yesterday ie 17th , the computer date is showing as 14th. Any ways below is the details of the scan.


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 12-06-2012 02
Ran by SHARBARI at 14-06-2012 11:01:31
Running from G:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

========================== Registry (Whitelisted) =============

HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM\...\InprocServer32: [Default-wbem] ATTENTION! ====> ZeroAccess
HKLM\...\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kaspersky Security Scan.lnk
ShortcutTarget: Kaspersky Security Scan.lnk -> C:\Program Files\Kaspersky Security Scan\KSS.exe ()
Startup: C:\Users\SHARBARI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\SHARBARI\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
ShortcutTarget: Picture Motion Browser Media Check Tool.lnk -> C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)

================================ Services (Whitelisted) ==================


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-14 11:01 - 2012-06-14 11:01 - 00000000 ____D C:\FRST
2012-06-13 01:53 - 2012-06-13 01:53 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-13 01:36 - 2012-06-14 11:00 - 03241472 ____A C:\Windows\ntbtlog.txt
2012-06-10 21:38 - 2012-06-10 21:38 - 00000000 ____D C:\bc65a29436444c4a565c91f029
2012-06-10 21:30 - 2012-06-10 21:37 - 00000000 ____D C:\Users\SHARBARI\Downloads\Real Steel (2011)
2012-06-10 21:12 - 2012-06-10 21:12 - 00000000 ____D C:\Users\SHARBARI\Downloads\Mission Impossible 4 Ghost Protocol (2011) DVDRip XviD-MAXSPEED
2012-06-10 21:04 - 2012-06-10 21:05 - 00000000 ____D C:\Users\SHARBARI\Downloads\The.Mist[2007]DvDrip[Eng]-aXXo
2012-06-10 20:56 - 2012-06-10 21:07 - 00000000 ____D C:\Users\All Users\B7E8586B0023961C01404F54B4EB23C1
2012-05-22 14:14 - 2012-06-07 10:41 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\WinZip
2012-05-22 14:14 - 2012-05-22 14:14 - 00000000 ____D C:\Users\All Users\Tarma Installer
2012-05-22 14:14 - 2012-05-22 14:14 - 00000000 ____D C:\Program Files\Yontoo
2012-05-22 14:11 - 2012-05-22 14:11 - 00002205 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-05-22 14:00 - 2012-05-22 14:00 - 00001229 ____A C:\Users\SHARBARI\Desktop\Play HP Games.lnk
2012-05-22 13:50 - 2012-05-22 14:10 - 54314312 ____A C:\Users\SHARBARI\Desktop\winzip160.exe
2012-05-22 13:48 - 2012-05-22 13:49 - 00000000 ____D C:\Program Files\YouTube Downloader Toolbar
2012-05-22 13:48 - 2012-05-22 13:49 - 00000000 ____D C:\Program Files\Application Updater
2012-05-22 13:48 - 2012-05-22 13:48 - 00000000 ____D C:\Program Files\Common Files\Spigot

============ 3 Months Modified Files and Folders ===============

2012-06-14 11:02 - 2010-05-24 23:32 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\uTorrent
2012-06-14 11:02 - 2010-05-16 17:45 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\DNA
2012-06-14 11:02 - 2010-04-14 17:31 - 00000425 ____A C:\Users\All Users\HPWALog.txt
2012-06-14 11:02 - 2010-03-12 16:17 - 00000177 ____H C:\dvmexp.idx
2012-06-14 11:01 - 2012-06-14 11:01 - 00000000 ____D C:\FRST
2012-06-14 11:01 - 2011-08-08 23:39 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\FileServe Manager
2012-06-14 11:01 - 2011-05-06 11:02 - 00055721 ____A C:\Windows\setupact.log
2012-06-14 11:01 - 2010-08-16 22:52 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-14 11:01 - 2009-07-14 10:23 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-14 11:00 - 2012-06-13 01:36 - 03241472 ____A C:\Windows\ntbtlog.txt
2012-06-13 02:10 - 2010-03-12 15:42 - 01753639 ____A C:\Windows\WindowsUpdate.log
2012-06-13 01:53 - 2012-06-13 01:53 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-13 01:53 - 2011-02-23 18:17 - 00000000 __SHD C:\Config.Msi
2012-06-13 01:53 - 2011-01-31 23:39 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-13 01:53 - 2009-09-07 04:32 - 00722802 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-13 01:51 - 2011-03-02 01:56 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\Orbit
2012-06-13 01:38 - 2012-01-11 22:06 - 00000000 __SHD C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}
2012-06-13 01:37 - 2010-08-16 22:52 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-13 01:36 - 2009-07-14 10:23 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-10 21:38 - 2012-06-10 21:38 - 00000000 ____D C:\bc65a29436444c4a565c91f029
2012-06-10 21:37 - 2012-06-10 21:30 - 00000000 ____D C:\Users\SHARBARI\Downloads\Real Steel (2011)
2012-06-10 21:33 - 2010-04-25 00:42 - 00129024 ____A C:\Users\SHARBARI\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-10 21:28 - 2009-12-22 07:40 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-10 21:12 - 2012-06-10 21:12 - 00000000 ____D C:\Users\SHARBARI\Downloads\Mission Impossible 4 Ghost Protocol (2011) DVDRip XviD-MAXSPEED
2012-06-10 21:11 - 2011-10-02 20:43 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\vlc
2012-06-10 21:07 - 2012-06-10 20:56 - 00000000 ____D C:\Users\All Users\B7E8586B0023961C01404F54B4EB23C1
2012-06-10 21:05 - 2012-06-10 21:04 - 00000000 ____D C:\Users\SHARBARI\Downloads\The.Mist[2007]DvDrip[Eng]-aXXo
2012-06-10 21:03 - 2009-07-14 10:04 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-10 21:03 - 2009-07-14 10:04 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-07 10:41 - 2012-05-22 14:14 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\WinZip
2012-06-07 09:55 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\System32\NDF
2012-06-07 09:49 - 2009-07-14 08:07 - 00000000 ____D C:\Windows\Microsoft.NET
2012-05-22 14:25 - 2010-04-14 17:27 - 00000000 ____D C:\users\SHARBARI
2012-05-22 14:14 - 2012-05-22 14:14 - 00000000 ____D C:\Users\All Users\Tarma Installer
2012-05-22 14:14 - 2012-05-22 14:14 - 00000000 ____D C:\Program Files\Yontoo
2012-05-22 14:13 - 2012-01-23 17:05 - 00000000 ____D C:\Program Files\WinZipBar
2012-05-22 14:13 - 2010-11-26 00:35 - 00000000 ____D C:\Users\All Users\WinZip
2012-05-22 14:11 - 2012-05-22 14:11 - 00002205 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-05-22 14:11 - 2010-04-14 19:29 - 00000000 ____D C:\Program Files\WinZip
2012-05-22 14:10 - 2012-05-22 13:50 - 54314312 ____A C:\Users\SHARBARI\Desktop\winzip160.exe
2012-05-22 14:00 - 2012-05-22 14:00 - 00001229 ____A C:\Users\SHARBARI\Desktop\Play HP Games.lnk
2012-05-22 13:49 - 2012-05-22 13:48 - 00000000 ____D C:\Program Files\YouTube Downloader Toolbar
2012-05-22 13:49 - 2012-05-22 13:48 - 00000000 ____D C:\Program Files\Application Updater
2012-05-22 13:49 - 2010-04-14 17:27 - 00000000 ____D C:\Users\SHARBARI\AppData\LocalLow
2012-05-22 13:48 - 2012-05-22 13:48 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-05-22 13:47 - 2009-07-14 08:07 - 00000000 ___RD C:\users\Public
2012-05-22 13:41 - 2011-07-31 10:12 - 00017020 ____A C:\Windows\PFRO.log
2012-04-26 20:08 - 2011-11-10 22:01 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-22 23:47 - 2009-12-22 09:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-04-22 23:42 - 2010-04-15 21:55 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\dvdcss
2012-04-22 23:12 - 2009-07-14 10:03 - 00418208 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-31 10:09 - 2012-04-22 23:51 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-31 10:09 - 2012-04-22 23:51 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-31 08:06 - 2012-04-22 23:51 - 02343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 15:53 - 2012-04-22 23:52 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-20 20:44 - 2012-03-20 20:44 - 00171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 20:44 - 2012-03-20 20:44 - 00074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-17 12:57 - 2012-04-22 23:43 - 00056176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys


ZeroAccess:
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\@
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\L
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\n
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\U

ZeroAccess:
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\@
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\L
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-14 04:41] - [2009-07-14 06:44] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

========================= Memory info ======================

Percentage of memory in use: 39%
Total physical RAM: 1910.84 MB
Available physical RAM: 1157.93 MB
Total Pagefile: 3821.68 MB
Available Pagefile: 3059.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1928.01 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:142.28 GB) (Free:69.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Fixed) (Total:155.51 GB) (Free:30.88 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive g: () (Removable) (Total:1.9 GB) (Free:0.01 GB) FAT32

DiskPart has encountered an error: The RPC server is unavailable.
See the System Event Log for more information.


==========================================================

Last Boot: 2012-03-02 23:42

======================= End Of Log ==========================
 
You ran the tool from within Windows. That won't work.
You have to boot to System Recovery Options.
We can't fix your issue from within Windows.

Also, please don't change your post font as it's harder to read.
 
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 12-06-2012 02
Ran by SYSTEM at 14-06-2012 11:07:23
Running from H:\
Windows 7 Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2009-11-06] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [175128 2009-11-06] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [166936 2009-11-06] (Intel Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [282624 2009-05-14] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [495708 2009-10-20] (IDT, Inc.)
HKLM\...\Run: [HPCam_Menu] "c:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [567864 2009-08-25] ()
HKLM\...\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe [842816 2009-07-01] (DigitalPersona, Inc.)
HKLM\...\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [NortonOnlineBackupReminder] "C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED [600936 2009-06-29] (Symantec Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM\...\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-24] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [111856 2009-02-23] (Yahoo! Inc)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [FileServe Manager Task] "C:\Program Files\FileServe Manager\FSStarter.exe" [954648 2011-06-20] (FileServe Limited)
HKLM\...\Run: [DATAMNGR] C:\PROGRA~1\SEARCH~1\SEARCH~1\DATAMN~1.EXE [1698744 2011-09-19] (MusicLab, LLC)
HKLM\...\Run: [] [x]
HKLM\...\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" [992648 2012-05-25] (Spigot, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\SHARBARI\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-10-16] (Hewlett-Packard Company)
HKU\SHARBARI\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1685048 2009-09-29] (Hewlett-Packard)
HKU\SHARBARI\...\Run: [BitTorrent DNA] "C:\Users\SHARBARI\Program Files\DNA\btdna.exe" [323392 2010-05-16] (BitTorrent, Inc.)
HKU\SHARBARI\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" [395640 2011-01-16] (BitTorrent, Inc.)
HKU\SHARBARI\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-08-16] (Google Inc.)
HKU\SHARBARI\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-05-31] (Yahoo! Inc.)
HKU\SHARBARI\...\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [111856 2009-02-23] (Yahoo! Inc)
HKU\SHARBARI\...\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme [x]
HKU\SHARBARI\...\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray [1479680 2010-05-13] (Nokia)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
AppInit_DLLs: C:\PROGRA~1\SEARCH~1\SEARCH~1\datamngr.dll C:\PROGRA~1\SEARCH~1\SEARCH~1\IEBHO.dll
Tcpip\..\Interfaces\{7CEE0C2C-1FA1-4527-A85D-65C23D4E06AF}: [NameServer]10.10.0.1,4.2.2.2
Lsa: [Notification Packages] scecli
DPPWDFLT
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kaspersky Security Scan.lnk
ShortcutTarget: Kaspersky Security Scan.lnk -> C:\Program Files\Kaspersky Security Scan\KSS.exe ()
Startup: C:\Users\SHARBARI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\SHARBARI\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
ShortcutTarget: Picture Motion Browser Media Check Tool.lnk -> C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
================================ Services (Whitelisted) ==================
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_94cb740f1febe83e\aestsrv.exe [81920 2009-03-03] (Andrea Electronics Corporation)
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [785344 2012-05-25] (Spigot, Inc.)
3 Boonty Games; "C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [69120 2010-09-20] (BOONTY)
2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe [582944 2009-07-30] (Broadcom Corporation.)
2 DvmMDES; "C:\SPLASH.SYS\config\DVMExportService.exe" [323584 2009-07-08] (DeviceVM, Inc.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe" [246520 2010-06-18] (WildTangent, Inc.)
3 hkmsvc; C:\Windows\System32\kmsvc.dll [71168 2010-11-20] (Microsoft Corporation)
2 HP Health Check Service; "C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [120832 2009-10-15] (Hewlett-Packard)
3 NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [774144 2006-11-10] (Nero AG)
2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [247152 2009-07-06] ()
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_94cb740f1febe83e\STacSV.exe [221266 2009-10-20] (IDT, Inc.)
2 vcsFPService; C:\Windows\system32\vcsFPService.exe [1656112 2009-07-12] (Validity Sensors, Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
2 Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [x]
========================== Drivers (Whitelisted) =============
1 DVMIO; \??\C:\SPLASH.SYS\config\dvmio.sys [17624 2009-09-29] (DeviceVM, Inc.)
1 ElRawDisk; \??\C:\Windows\system32\drivers\dddsk.sys [22312 2009-02-12] (EldoS Corporation)
0 iirsp; C:\Windows\System32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)
3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfd.sys [18816 2008-08-25] (Nokia)
3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2011-01-16] (VSO Software)
3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [150048 2009-11-12] (Realtek Semiconductor Corp.)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [181792 2009-11-12] (Realtek Semiconductor Corp.)
3 SRS_SSCFilter; C:\Windows\System32\drivers\srs_sscfilter_i386.sys [39808 2007-07-25] ()
3 SrvHsfHDA; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [207360 2009-07-13] (Conexant Systems, Inc.)
3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [980992 2009-07-13] (Conexant Systems, Inc.)
3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT3.SYS [661504 2009-07-13] (Conexant Systems, Inc.)
3 usbser; C:\Windows\system32\drivers\usbser.sys [27648 2010-11-20] (Microsoft Corporation)
3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltj.sys [8192 2010-12-01] (Nokia)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [311296 2009-07-13] (Marvell)
1 bprrenqy; \??\C:\Windows\system32\drivers\bprrenqy.sys [x]
1 enkcykrx; \??\C:\Windows\system32\drivers\enkcykrx.sys [x]
1 hhtxggve; \??\C:\Windows\system32\drivers\hhtxggve.sys [x]
3 RTSTOR; C:\Windows\System32\drivers\RTSTOR.SYS [x]
1 tsbohyrq; \??\C:\Windows\system32\drivers\tsbohyrq.sys [x]
1 ttbrkkxa; \??\C:\Windows\system32\drivers\ttbrkkxa.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-06-13 21:31 - 2012-06-14 11:07 - 00000000 ____D C:\FRST
2012-06-12 12:23 - 2012-06-12 12:23 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-12 12:06 - 2012-06-13 21:30 - 03241472 ____A C:\Windows\ntbtlog.txt
2012-06-10 08:08 - 2012-06-10 08:08 - 00000000 ____D C:\bc65a29436444c4a565c91f029
2012-06-10 08:00 - 2012-06-10 08:07 - 00000000 ____D C:\Users\SHARBARI\Downloads\Real Steel (2011)
2012-06-10 07:42 - 2012-06-10 07:42 - 00000000 ____D C:\Users\SHARBARI\Downloads\Mission Impossible 4 Ghost Protocol (2011) DVDRip XviD-MAXSPEED
2012-06-10 07:34 - 2012-06-10 07:35 - 00000000 ____D C:\Users\SHARBARI\Downloads\The.Mist[2007]DvDrip[Eng]-aXXo
2012-06-10 07:26 - 2012-06-10 07:37 - 00000000 ____D C:\Users\All Users\B7E8586B0023961C01404F54B4EB23C1
2012-05-22 00:44 - 2012-06-06 21:11 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\WinZip
2012-05-22 00:44 - 2012-05-22 00:44 - 00000000 ____D C:\Users\All Users\Tarma Installer
2012-05-22 00:44 - 2012-05-22 00:44 - 00000000 ____D C:\Program Files\Yontoo
2012-05-22 00:41 - 2012-05-22 00:41 - 00002205 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-05-22 00:30 - 2012-05-22 00:30 - 00001229 ____A C:\Users\SHARBARI\Desktop\Play HP Games.lnk
2012-05-22 00:20 - 2012-05-22 00:40 - 54314312 ____A C:\Users\SHARBARI\Desktop\winzip160.exe
2012-05-22 00:18 - 2012-05-22 00:19 - 00000000 ____D C:\Program Files\YouTube Downloader Toolbar
2012-05-22 00:18 - 2012-05-22 00:19 - 00000000 ____D C:\Program Files\Application Updater
2012-05-22 00:18 - 2012-05-22 00:18 - 00000000 ____D C:\Program Files\Common Files\Spigot
============ 3 Months Modified Files and Folders ===============
2012-06-14 11:00 - 2010-04-14 04:11 - 00000000 ____D C:\Users\All Users\Recovery
2012-06-13 21:31 - 2011-08-08 10:09 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\FileServe Manager
2012-06-13 21:31 - 2010-05-24 10:02 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\uTorrent
2012-06-13 21:31 - 2010-05-16 04:15 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\DNA
2012-06-13 21:31 - 2010-03-12 02:47 - 00000177 ____H C:\dvmexp.idx
2012-06-13 21:30 - 2012-06-12 12:06 - 03241472 ____A C:\Windows\ntbtlog.txt
2012-06-13 21:30 - 2011-05-05 21:32 - 00056505 ____A C:\Windows\setupact.log
2012-06-13 21:30 - 2010-08-16 09:22 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-13 21:30 - 2010-04-14 04:01 - 00000174 ____A C:\Users\All Users\HPWALog.txt
2012-06-13 21:30 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-12 12:40 - 2010-03-12 02:12 - 01753639 ____A C:\Windows\WindowsUpdate.log
2012-06-12 12:23 - 2012-06-12 12:23 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-12 12:23 - 2011-02-23 04:47 - 00000000 __SHD C:\Config.Msi
2012-06-12 12:23 - 2011-01-31 10:09 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-12 12:23 - 2009-09-06 15:02 - 00722802 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-12 12:21 - 2011-03-01 12:26 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\Orbit
2012-06-12 12:08 - 2012-01-11 08:36 - 00000000 __SHD C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}
2012-06-12 12:07 - 2010-08-16 09:22 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-12 12:06 - 2009-07-13 20:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-10 08:08 - 2012-06-10 08:08 - 00000000 ____D C:\bc65a29436444c4a565c91f029
2012-06-10 08:07 - 2012-06-10 08:00 - 00000000 ____D C:\Users\SHARBARI\Downloads\Real Steel (2011)
2012-06-10 08:03 - 2010-04-24 11:12 - 00129024 ____A C:\Users\SHARBARI\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-10 07:58 - 2009-12-21 18:10 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-06-10 07:42 - 2012-06-10 07:42 - 00000000 ____D C:\Users\SHARBARI\Downloads\Mission Impossible 4 Ghost Protocol (2011) DVDRip XviD-MAXSPEED
2012-06-10 07:41 - 2011-10-02 07:13 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\vlc
2012-06-10 07:37 - 2012-06-10 07:26 - 00000000 ____D C:\Users\All Users\B7E8586B0023961C01404F54B4EB23C1
2012-06-10 07:35 - 2012-06-10 07:34 - 00000000 ____D C:\Users\SHARBARI\Downloads\The.Mist[2007]DvDrip[Eng]-aXXo
2012-06-10 07:33 - 2009-07-13 20:34 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-10 07:33 - 2009-07-13 20:34 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-06 21:11 - 2012-05-22 00:44 - 00000000 ____D C:\Users\SHARBARI\AppData\Local\WinZip
2012-06-06 20:25 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-06-06 20:19 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-05-22 00:55 - 2010-04-14 03:57 - 00000000 ____D C:\users\SHARBARI
2012-05-22 00:44 - 2012-05-22 00:44 - 00000000 ____D C:\Users\All Users\Tarma Installer
2012-05-22 00:44 - 2012-05-22 00:44 - 00000000 ____D C:\Program Files\Yontoo
2012-05-22 00:43 - 2012-01-23 03:35 - 00000000 ____D C:\Program Files\WinZipBar
2012-05-22 00:43 - 2010-11-25 11:05 - 00000000 ____D C:\Users\All Users\WinZip
2012-05-22 00:41 - 2012-05-22 00:41 - 00002205 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-05-22 00:41 - 2010-04-14 05:59 - 00000000 ____D C:\Program Files\WinZip
2012-05-22 00:40 - 2012-05-22 00:20 - 54314312 ____A C:\Users\SHARBARI\Desktop\winzip160.exe
2012-05-22 00:30 - 2012-05-22 00:30 - 00001229 ____A C:\Users\SHARBARI\Desktop\Play HP Games.lnk
2012-05-22 00:19 - 2012-05-22 00:18 - 00000000 ____D C:\Program Files\YouTube Downloader Toolbar
2012-05-22 00:19 - 2012-05-22 00:18 - 00000000 ____D C:\Program Files\Application Updater
2012-05-22 00:19 - 2010-04-14 03:57 - 00000000 ____D C:\Users\SHARBARI\AppData\LocalLow
2012-05-22 00:18 - 2012-05-22 00:18 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-05-22 00:17 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-05-22 00:11 - 2011-07-30 20:42 - 00017020 ____A C:\Windows\PFRO.log
2012-04-26 06:38 - 2011-11-10 08:31 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-22 10:17 - 2009-12-21 19:31 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-04-22 10:12 - 2010-04-15 08:25 - 00000000 ____D C:\Users\SHARBARI\AppData\Roaming\dvdcss
2012-04-22 09:42 - 2009-07-13 20:33 - 00418208 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-30 20:39 - 2012-04-22 10:21 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-30 20:39 - 2012-04-22 10:21 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 18:36 - 2012-04-22 10:21 - 02343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 02:23 - 2012-04-22 10:22 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-20 07:14 - 2012-03-20 07:14 - 00171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 07:14 - 2012-03-20 07:14 - 00074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys

ZeroAccess:
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\@
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\L
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\n
C:\Windows\Installer\{59549a40-78be-6076-8cf5-2cd7e244131a}\U
ZeroAccess:
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\@
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\L
C:\Users\SHARBARI\AppData\Local\{59549a40-78be-6076-8cf5-2cd7e244131a}\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 27%
Total physical RAM: 1910.84 MB
Available physical RAM: 1378.87 MB
Total Pagefile: 1910.84 MB
Available Pagefile: 1385.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1977.62 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:142.28 GB) (Free:69.76 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: () (Fixed) (Total:155.51 GB) (Free:30.88 GB) NTFS
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive g: (Recovery14) (CDROM) (Total:4.2 GB) (Free:0 GB) UDF
5 Drive h: () (Removable) (Total:1.9 GB) (Free:0.01 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 1953 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 142 GB 200 MB
Partition 0 Extended 155 GB 142 GB
Partition 4 Logical 155 GB 142 GB
Partition 3 Primary 103 MB 297 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 142 GB Healthy
======================================================================================================
Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 155 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1952 MB 122 KB
======================================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 1952 MB Healthy
======================================================================================================
==========================================================
Last Boot: 2012-03-02 10:12
======================= End Of Log ==========================
 
In Vista or Windows 7: Boot to System Recovery Options and run FRST.
In Windows XP: Please boot to UBCD and run FRST.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.
 
Back