Hello,
I was hoping to get some help as my office computer was infected by an employee. I have gotten the sirefef.r and .ah message. it did go into a looping sequence that I was able to get it out of.
Below is a copy of the frst log that is requested in many of the help topics for the sirefef.r/ah virus.
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 14:53:01
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-02-15] (IDT, Inc.)
HKLM\...\Run: [mmlweb] C:\Windows\system32\mmlweb.exe [49152 2007-06-28] (MURATA MACHINERY,LTD.)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
HKU\user\...\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-15] (Google Inc.)
HKU\user\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [12163848 2012-06-20] (Google)
HKU\user\...\Run: [chromium] C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1250328 2012-07-09] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 71.242.0.12 71.252.0.12
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Document Download Manager.lnk
ShortcutTarget: Muratec OB Document Download Manager.lnk -> C:\Program Files\Muratec\OfficeBridge\Download\DOWNUTY.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB InfoMonitor.lnk
ShortcutTarget: Muratec OB InfoMonitor.lnk -> C:\Program Files\Muratec\OfficeBridge\Imonitor\Imonitor2.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Scan to Print Monitor.lnk
ShortcutTarget: Muratec OB Scan to Print Monitor.lnk -> C:\Program Files\Muratec\OfficeBridge\ScanToPM\ScanToPM.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\user\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> (No File)
================================ Services (Whitelisted) ==================
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
2 LPDSVC; C:\Windows\System32\lpdsvc.dll [38400 2009-07-13] (Microsoft Corporation)
2 simptcp; C:\Windows\System32\tcpsvcs.exe [9216 2009-07-13] (Microsoft Corporation)
2 SNMP; C:\Windows\System32\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
2 QBCFMonitorService; "c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [x]
3 QBFCService; "c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [x]
========================== Drivers (Whitelisted) =============
3 androidusb; C:\Windows\System32\Drivers\ssadadb.sys [30312 2011-01-12] (Google Inc)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2010-09-17] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2010-09-17] (LogMeIn, Inc.)
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [104648 2011-01-12] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [14920 2011-01-12] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [132424 2011-01-12] (MCCI Corporation)
4 LMIRfsClientNP; [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-25 14:52 - 2012-07-25 14:53 - 00000000 ____D C:\FRST
2012-07-25 09:51 - 2012-07-25 09:52 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
2012-07-25 09:49 - 2012-07-25 09:50 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
2012-07-25 09:08 - 2012-07-25 09:08 - 00000000 ____D C:\Windows\System32\appmgmt
2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-07-24 13:42 - 2012-07-25 08:33 - 00000000 ___HD C:\Users\user\AppData\Roaming\890E9E35
2012-07-21 15:24 - 2012-07-25 13:00 - 00000000 ____D C:\Windows\Minidump
2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
2012-07-20 16:11 - 2012-07-25 13:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Users\user\AppData\Roaming\com.pageone.Curator
2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Program Files\PageOneTraffic
2012-07-15 13:03 - 2012-07-16 13:54 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
2012-07-15 08:02 - 2012-07-15 08:02 - 00000000 ____D C:\Users\user\Documents\Out of the Park Developments
2012-07-10 23:05 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-10 23:05 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-10 23:05 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-10 23:05 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-10 23:05 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-10 23:05 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-10 23:05 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-10 23:05 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-10 23:05 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-10 23:05 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-10 23:05 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-10 23:05 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-10 23:05 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-10 23:05 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-10 23:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 13:18 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 13:18 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 13:18 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 13:18 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 13:18 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 13:18 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 13:18 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 13:18 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 13:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 13:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-07 10:08 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\.autobahn
2012-07-07 10:07 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\AppData\Local\Autobahn
2012-07-05 12:48 - 2012-07-11 13:50 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
============ 3 Months Modified Files ========================
2012-07-25 10:32 - 2011-06-15 09:57 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 09:57 - 2011-06-15 09:57 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 09:57 - 2011-01-07 10:42 - 01911362 ____A C:\Windows\WindowsUpdate.log
2012-07-25 09:57 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 09:57 - 2009-07-13 20:39 - 00046013 ____A C:\Windows\setupact.log
2012-07-25 09:55 - 2011-01-07 11:19 - 00039014 ____A C:\Windows\PFRO.log
2012-07-25 09:53 - 2011-01-07 10:50 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-25 09:52 - 2012-07-25 09:51 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
2012-07-25 09:50 - 2012-07-25 09:49 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
2012-07-25 09:09 - 2011-02-22 18:20 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-25 07:10 - 2011-11-26 17:53 - 00179512 ____A C:\Users\user\Documents\2012 schedule.xlsx
2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
2012-07-21 15:24 - 2009-07-13 20:57 - 00067584 ___AS C:\Windows\bootstat(28).dat
2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
2012-07-20 17:04 - 2009-07-13 20:53 - 00019590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-20 16:57 - 2011-07-10 12:34 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001UA.job
2012-07-20 11:57 - 2011-07-10 12:34 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001Core.job
2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
2012-07-16 13:54 - 2012-07-15 13:03 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
2012-07-12 05:27 - 2011-01-10 14:10 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 05:27 - 2011-01-10 14:10 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-12 05:27 - 2011-01-10 14:10 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-11 13:50 - 2012-07-05 12:48 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
2012-07-10 23:22 - 2009-07-13 20:33 - 00427376 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 23:04 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-07-10 23:01 - 2011-01-07 10:59 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-07 10:51 - 2011-06-19 10:11 - 00073959 ____A C:\Users\user\Desktop\mariapricelist - Current.xlsx
2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
2012-07-03 09:54 - 2012-06-03 09:28 - 00017003 ____A C:\Users\user\Desktop\free state payroll we 61712.xlsx
2012-06-11 18:40 - 2012-07-10 23:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-10 07:13 - 2012-06-10 07:12 - 00002358 ____A C:\Users\user\cvdm.err
2012-06-08 20:41 - 2012-07-10 13:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-10 13:18 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:18 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 16:14 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 16:14 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 16:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-20 16:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-20 16:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 23:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 23:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 23:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 23:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 23:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 23:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 23:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 23:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 23:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 23:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 23:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 23:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 23:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 23:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-10 13:18 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 13:18 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 13:18 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 13:18 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 13:18 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-20 12:53 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-04-30 20:44 - 2012-06-13 09:31 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 09:31 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
ZeroAccess:
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\00000004.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\1afb2d56
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\201d3dde
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000004.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000008.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\000000cb.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000000.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000032.@
ZeroAccess:
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 12%
Total physical RAM: 4030.43 MB
Available physical RAM: 3513.96 MB
Total Pagefile: 4028.71 MB
Available Pagefile: 3513.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:931.41 GB) (Free:881.03 GB) NTFS
3 Drive f: () (Removable) (Total:7.45 GB) (Free:7.04 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 7633 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 931 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7633 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-17 20:10
======================= End Of Log ==========================
I was hoping to get some help as my office computer was infected by an employee. I have gotten the sirefef.r and .ah message. it did go into a looping sequence that I was able to get it out of.
Below is a copy of the frst log that is requested in many of the help topics for the sirefef.r/ah virus.
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 14:53:01
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-02-15] (IDT, Inc.)
HKLM\...\Run: [mmlweb] C:\Windows\system32\mmlweb.exe [49152 2007-06-28] (MURATA MACHINERY,LTD.)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
HKU\user\...\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-15] (Google Inc.)
HKU\user\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [12163848 2012-06-20] (Google)
HKU\user\...\Run: [chromium] C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1250328 2012-07-09] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 71.242.0.12 71.252.0.12
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Document Download Manager.lnk
ShortcutTarget: Muratec OB Document Download Manager.lnk -> C:\Program Files\Muratec\OfficeBridge\Download\DOWNUTY.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB InfoMonitor.lnk
ShortcutTarget: Muratec OB InfoMonitor.lnk -> C:\Program Files\Muratec\OfficeBridge\Imonitor\Imonitor2.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Muratec OB Scan to Print Monitor.lnk
ShortcutTarget: Muratec OB Scan to Print Monitor.lnk -> C:\Program Files\Muratec\OfficeBridge\ScanToPM\ScanToPM.exe (MURATA MACHINERY,LTD.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\user\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk -> (No File)
================================ Services (Whitelisted) ==================
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
2 LPDSVC; C:\Windows\System32\lpdsvc.dll [38400 2009-07-13] (Microsoft Corporation)
2 simptcp; C:\Windows\System32\tcpsvcs.exe [9216 2009-07-13] (Microsoft Corporation)
2 SNMP; C:\Windows\System32\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_124a1a436c563c4c\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
2 QBCFMonitorService; "c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [x]
3 QBFCService; "c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [x]
========================== Drivers (Whitelisted) =============
3 androidusb; C:\Windows\System32\Drivers\ssadadb.sys [30312 2011-01-12] (Google Inc)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2010-09-17] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2010-09-17] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2010-09-17] (LogMeIn, Inc.)
3 sscdbus; C:\Windows\System32\DRIVERS\sscdbus.sys [104648 2011-01-12] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\DRIVERS\sscdmdfl.sys [14920 2011-01-12] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\DRIVERS\sscdmdm.sys [132424 2011-01-12] (MCCI Corporation)
4 LMIRfsClientNP; [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-25 14:52 - 2012-07-25 14:53 - 00000000 ____D C:\FRST
2012-07-25 09:51 - 2012-07-25 09:52 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
2012-07-25 09:49 - 2012-07-25 09:50 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
2012-07-25 09:08 - 2012-07-25 09:08 - 00000000 ____D C:\Windows\System32\appmgmt
2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-07-25 06:45 - 2012-07-25 13:00 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-07-24 13:42 - 2012-07-25 08:33 - 00000000 ___HD C:\Users\user\AppData\Roaming\890E9E35
2012-07-21 15:24 - 2012-07-25 13:00 - 00000000 ____D C:\Windows\Minidump
2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
2012-07-20 16:11 - 2012-07-25 13:00 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Users\user\AppData\Roaming\com.pageone.Curator
2012-07-16 08:57 - 2012-07-16 08:57 - 00000000 ____D C:\Program Files\PageOneTraffic
2012-07-15 13:03 - 2012-07-16 13:54 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
2012-07-15 08:02 - 2012-07-15 08:02 - 00000000 ____D C:\Users\user\Documents\Out of the Park Developments
2012-07-10 23:05 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-10 23:05 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-10 23:05 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-10 23:05 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-10 23:05 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-10 23:05 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-10 23:05 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-10 23:05 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-10 23:05 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-10 23:05 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-10 23:05 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-10 23:05 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-10 23:05 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-10 23:05 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-10 23:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 13:18 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 13:18 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 13:18 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 13:18 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 13:18 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 13:18 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 13:18 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 13:18 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 13:17 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 13:17 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-07 10:08 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\.autobahn
2012-07-07 10:07 - 2012-07-07 10:08 - 00000000 ____D C:\Users\user\AppData\Local\Autobahn
2012-07-05 12:48 - 2012-07-11 13:50 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
============ 3 Months Modified Files ========================
2012-07-25 10:32 - 2011-06-15 09:57 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 10:04 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 09:57 - 2011-06-15 09:57 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 09:57 - 2011-01-07 10:42 - 01911362 ____A C:\Windows\WindowsUpdate.log
2012-07-25 09:57 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 09:57 - 2009-07-13 20:39 - 00046013 ____A C:\Windows\setupact.log
2012-07-25 09:55 - 2011-01-07 11:19 - 00039014 ____A C:\Windows\PFRO.log
2012-07-25 09:53 - 2011-01-07 10:50 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-25 09:52 - 2012-07-25 09:51 - 00892822 ____A (Farbar) C:\Users\user\Downloads\FRST.exe
2012-07-25 09:50 - 2012-07-25 09:49 - 10288512 ____A (Microsoft Corporation) C:\Users\user\Downloads\mseinstall.exe
2012-07-25 09:09 - 2011-02-22 18:20 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-25 07:10 - 2011-11-26 17:53 - 00179512 ____A C:\Users\user\Documents\2012 schedule.xlsx
2012-07-21 15:24 - 2012-07-21 15:24 - 340223470 ____A C:\Windows\MEMORY.DMP
2012-07-21 15:24 - 2012-07-21 15:24 - 00162240 ____A C:\Windows\Minidump\072112-38750-01.dmp
2012-07-21 15:24 - 2009-07-13 20:57 - 00067584 ___AS C:\Windows\bootstat(28).dat
2012-07-21 15:04 - 2012-07-21 15:04 - 00311808 ____A C:\Users\user\AppData\Local\fycmy.exe
2012-07-20 17:04 - 2009-07-13 20:53 - 00019590 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-20 16:57 - 2011-07-10 12:34 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001UA.job
2012-07-20 11:57 - 2011-07-10 12:34 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-429206791-1674625279-1837712758-1001Core.job
2012-07-17 06:35 - 2012-07-17 06:35 - 00000247 ____A C:\user.js
2012-07-16 13:54 - 2012-07-15 13:03 - 00016981 ____A C:\Users\user\Desktop\free state payroll we 71512.xlsx
2012-07-15 13:03 - 2012-07-15 13:03 - 00017002 ____A C:\Users\user\Desktop\free state payroll we 7112.xlsx
2012-07-12 05:27 - 2011-01-10 14:10 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 05:27 - 2011-01-10 14:10 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-12 05:27 - 2011-01-10 14:10 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-07-11 13:50 - 2012-07-05 12:48 - 00009712 ____A C:\Users\user\Desktop\MONTHLY MANAGER SCHEDULE July and august (1).xlsx
2012-07-10 23:22 - 2009-07-13 20:33 - 00427376 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 23:04 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-07-10 23:01 - 2011-01-07 10:59 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-07 10:51 - 2011-06-19 10:11 - 00073959 ____A C:\Users\user\Desktop\mariapricelist - Current.xlsx
2012-07-04 08:49 - 2012-07-04 08:49 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
2012-07-03 09:54 - 2012-06-03 09:28 - 00017003 ____A C:\Users\user\Desktop\free state payroll we 61712.xlsx
2012-06-11 18:40 - 2012-07-10 23:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-10 07:13 - 2012-06-10 07:12 - 00002358 ____A C:\Users\user\cvdm.err
2012-06-08 20:41 - 2012-07-10 13:17 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-10 13:18 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:18 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:17 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 16:14 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 16:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 16:14 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 16:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-20 16:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-20 16:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 23:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 23:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 23:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 23:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 23:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 23:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 23:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 23:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 23:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 23:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 23:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 23:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 23:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 23:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-10 13:18 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 13:18 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 13:18 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 13:18 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 13:18 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-20 12:53 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-04-30 20:44 - 2012-06-13 09:31 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-13 09:31 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
ZeroAccess:
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\00000004.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\1afb2d56
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L\201d3dde
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000004.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\00000008.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\000000cb.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000000.@
C:\Windows\Installer\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U\80000032.@
ZeroAccess:
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\@
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\L
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\n
C:\Users\user\AppData\Local\{fcc14dac-34e5-284e-c14d-275d85d6fd01}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 12%
Total physical RAM: 4030.43 MB
Available physical RAM: 3513.96 MB
Total Pagefile: 4028.71 MB
Available Pagefile: 3513.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:931.41 GB) (Free:881.03 GB) NTFS
3 Drive f: () (Removable) (Total:7.45 GB) (Free:7.04 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 7633 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 931 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7633 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-17 20:10
======================= End Of Log ==========================