Solved Need help removing Sirefef, Windows 7 64-bit shuts down in less than 1 min

[mrx64]

I have read several threads on this problem... the posts I have read stated that the removal process was specific to that machine..so I havent tried anything yet.

I hope it is ok that I have not followed the steps in the other tutorals due to the fact that my pc shuts down before the malware or anti virus program can run...

I am on a borrowed laptop so I hope someone can help.

Thanks and I will await further instructions.

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================

What Windows version is it?

 

[mrx64]

windows 7 home premium 64 bit

 

[Broni]

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

I'll expect two logs:
- FRST.txt
- Search.txt

 

[mrx64]

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 18:04:26
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002
========================== Registry (Whitelisted) =============
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-22] (Alcor Micro Corp.)
HKLM\...\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-05-26] (Egis Technology Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-05-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-05-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [413208 2010-05-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9643552 2009-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [861216 2010-04-23] (Acer Incorporated)
HKLM\...\Run: [HP LaserJet Professional CM1410 Series Fax] C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe "HP LaserJet Professional CM1410 Series Fax" [3706424 2010-08-24] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [337264 2010-05-26] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-03-10] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-03-10] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [968272 2010-06-22] (Dritek System Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1164584 2010-09-16] ()
HKLM-x32\...\Run: [BCWipeTM Startup] "C:\Program Files (x86)\Jetico\BCWipe\BCWipeTM.exe" startup [x]
HKLM-x32\...\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2747744 2011-01-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ToolboxFX] "C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe" /enumn /alertsn /notificationsn /fln /frn /appDatan /tmcpn [58936 2010-10-25] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Mr X\...\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1 [1652736 2010-10-29] (AWS Convergence Technologies, Inc.)
HKU\Mr X\...\Run: [PCShowServer] "C:\Users\Mr X\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [351888 2012-04-02] (NDS Technologies)
HKU\Mr X\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe" -autorun [3111744 2012-04-26] (DT Soft Ltd)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.5.1 192.168.5.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
ShortcutTarget: Marketsplash Print Software.lnk -> C:\Program Files (x86)\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe (Hewlett-Packard Company)
==================== Services (Whitelisted) ======
3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [517448 2010-11-25] ()
2 avgfws; "C:\Program Files (x86)\AVG\AVG10\avgfws.exe" [3226632 2010-11-22] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [6128720 2011-01-06] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [265400 2010-10-22] (AVG Technologies CZ, s.r.o.)
2 BCWipeSvc; C:\Program Files (x86)\Jetico\BCWipe\BCWipeSvc.exe [95544 2010-05-21] (Jetico, Inc.)
2 DsiWMIService; C:\Program Files (x86)\Launch Manager\dsiwmis.exe [321104 2010-06-22] (Dritek System Inc.)
2 GREGService; C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 Live Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [255376 2012-04-05] (Acer Incorporated)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-05-26] (Egis Technology Inc.)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [250368 2010-03-08] (NewTech Infosystems, Inc.)
2 Stuffit Archive Name Service; "C:\Program Files (x86)\Smith Micro\StuffIt 2010\ArcNameService.exe" [1916248 2009-10-30] (Smith Micro Software, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2010-03-03] (Intel Corporation)
========================== Drivers (Whitelisted) =============
1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [57696 2010-07-12] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\Drivers\AVGIDSDriver.sys [157264 2010-08-03] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\Drivers\AVGIDSEH.sys [27216 2010-09-13] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\Drivers\AVGIDSFilter.sys [35920 2010-08-03] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [308304 2010-12-08] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [41040 2010-09-07] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [382032 2010-11-12] (AVG Technologies CZ, s.r.o.)
4 BCSWAP; C:\Windows\System32\Drivers\BCSWAP.sys [101952 2010-02-08] (Jetico, Inc.)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-05-26] (DT Soft Ltd)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 Ser2ph; C:\Windows\System32\DRIVERS\ser2ph64.sys [89600 2010-07-07] (Prolific Technology Inc.)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16896 2009-05-05] (NewTech Infosystems Corporation)
4 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [x]

 

[mrx64]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-29 14:37 - 2012-07-29 14:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CC22E217DF6E7B49
2012-07-29 14:32 - 2012-07-29 14:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.83BA1B5EAF3610CC
2012-07-29 14:27 - 2012-07-29 14:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.29E9B584FBB67A22
2012-07-29 14:22 - 2012-07-29 14:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C7A544102529D20A
2012-07-29 14:16 - 2012-07-29 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7383C796829A7095
2012-07-29 14:11 - 2012-07-29 14:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6636BFA1B7D86E8A
2012-07-29 14:05 - 2012-07-29 14:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B19FACD0A7E05A4C
2012-07-29 13:59 - 2012-07-29 13:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F81D221565F58D17
2012-07-29 13:54 - 2012-07-29 13:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2CCE5DA957065402
2012-07-29 12:48 - 2012-07-29 12:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AB66F481EF9C68AD
2012-07-29 12:48 - 2012-07-29 12:48 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bdoldlkx.sys
2012-07-29 12:27 - 2012-07-29 12:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D746CBF47626180
2012-07-29 11:01 - 2012-07-29 11:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2D9BA179E396734
2012-07-28 08:15 - 2012-07-28 08:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.38DE6FAC30940F73

 

[mrx64]

2012-07-28 08:04 - 2012-07-28 08:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.172BBD110223368F
2012-07-28 08:04 - 2012-07-28 08:04 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\owcexuyr.sys
2012-07-28 07:59 - 2012-07-28 07:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.405EFD671CB8F251
2012-07-28 07:54 - 2012-07-28 07:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3693B1A7AFED27EC
2012-07-28 07:34 - 2012-07-28 07:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.951346DCDBA872F3
2012-07-27 21:23 - 2012-07-27 21:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C3644D9D734060AE
2012-07-27 21:23 - 2012-07-27 21:23 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lzruwoyu.sys
2012-07-27 21:20 - 2012-07-27 21:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B3AB8E25AB8B22BB
2012-07-27 21:20 - 2012-07-27 21:20 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\poqmhoeu.sys
2012-07-27 21:16 - 2012-07-27 21:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A905FE176945C27
2012-07-27 21:13 - 2012-07-27 21:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B67B10F0A9A1A0B5
2012-07-27 21:08 - 2012-07-27 21:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5F692F19524C682A
2012-07-27 21:02 - 2012-07-27 21:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0F95EDFB5E96CB6F
2012-07-27 20:56 - 2012-07-27 20:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D26A0ECECB18C9FE
2012-07-27 20:54 - 2012-07-27 20:54 - 00328704 ____A C:\Windows\System32\services.exe.43F88628C866BA16
2012-07-27 20:54 - 2012-07-27 20:54 - 00050392 ____A C:\Windows\System32\Drivers\xpnshgtv.sys
2012-07-27 20:49 - 2012-07-27 20:49 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4977342B3823FD67
2012-07-27 20:40 - 2012-07-27 20:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.92B1301A427864D2
2012-07-27 20:29 - 2012-07-27 20:30 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-27 20:29 - 2012-07-27 20:29 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-27 20:27 - 2012-07-27 20:28 - 12621696 ____A (Microsoft Corporation) C:\Users\Mr X\Downloads\mseinstall(1).exe
2012-07-27 17:15 - 2012-07-27 17:16 - 12621696 ____A (Microsoft Corporation) C:\Users\Mr X\Downloads\mseinstall.exe
2012-07-27 17:00 - 2012-07-27 19:50 - 00000000 ____D C:\Users\All Users\0C1CFAF400090747004EA24F4F147CE7
2012-07-27 10:15 - 2012-07-29 14:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-27 10:15 - 2012-07-27 10:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 10:15 - 2012-07-27 10:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-27 10:15 - 2012-07-27 10:15 - 09821896 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Desktop\install_flash_player.exe
2012-07-27 10:14 - 2012-07-27 10:14 - 09230024 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Desktop\install_flash_player_ax.exe

 

[mrx64]

2012-07-27 09:56 - 2012-07-27 09:56 - 00998720 ____A (Solid State Networks) C:\Users\Mr X\Downloads\install_flashplayer11x32_mssd_aih.exe
2012-07-27 09:54 - 2012-07-27 09:54 - 00686792 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Downloads\uninstall_flash_player.exe
2012-07-27 09:20 - 2012-07-27 09:20 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-27 09:04 - 2012-07-27 19:50 - 00000000 __SHD C:\Users\Mr X\AppData\Roaming\e6c1cdd
2012-07-26 08:53 - 2012-07-26 08:53 - 00000000 ____A C:\Windows\SysWOW64\sho67C2.tmp
2012-07-11 14:27 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 14:19 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 14:19 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 14:19 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 14:19 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 14:19 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 14:19 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 14:19 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 14:19 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 14:19 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 14:19 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 14:19 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 14:19 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 14:19 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 14:19 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 14:19 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 14:19 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 14:19 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 14:19 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 14:19 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 14:19 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 14:19 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 14:19 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 14:19 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 14:19 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 14:19 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 14:19 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 14:19 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 14:19 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 03:28 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 03:28 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 03:28 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 03:28 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 03:28 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 03:28 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 03:26 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 03:26 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 03:26 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 03:26 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 03:26 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 03:26 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

 

[mrx64]

2012-07-11 03:26 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 03:26 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 03:26 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-08 11:46 - 2012-07-08 11:46 - 00000000 ____A C:\Windows\SysWOW64\sho57ED.tmp
2012-06-30 06:30 - 2012-06-30 06:30 - 00000000 ____D C:\Users\Mr X\AppData\Local\CRE
============ 3 Months Modified Files ========================
2012-07-29 14:41 - 2010-12-04 14:14 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-29 14:40 - 2012-05-28 11:31 - 00007336 ____A C:\Windows\setupact.log
2012-07-29 14:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-29 14:37 - 2012-07-29 14:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CC22E217DF6E7B49
2012-07-29 14:32 - 2012-07-29 14:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.83BA1B5EAF3610CC
2012-07-29 14:27 - 2012-07-29 14:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.29E9B584FBB67A22
2012-07-29 14:22 - 2012-07-29 14:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C7A544102529D20A
2012-07-29 14:16 - 2012-07-29 14:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7383C796829A7095
2012-07-29 14:11 - 2012-07-29 14:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6636BFA1B7D86E8A
2012-07-29 14:08 - 2012-07-27 10:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-29 14:05 - 2012-07-29 14:05 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B19FACD0A7E05A4C
2012-07-29 13:59 - 2012-07-29 13:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F81D221565F58D17
2012-07-29 13:54 - 2012-07-29 13:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.2CCE5DA957065402
2012-07-29 12:48 - 2012-07-29 12:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AB66F481EF9C68AD
2012-07-29 12:48 - 2012-07-29 12:48 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bdoldlkx.sys
2012-07-29 12:47 - 2010-12-04 14:14 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-29 12:31 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-29 12:27 - 2012-07-29 12:27 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3D746CBF47626180
2012-07-29 12:27 - 2009-07-13 21:13 - 00783418 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-29 11:01 - 2012-07-29 11:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A2D9BA179E396734
2012-07-28 08:15 - 2012-07-28 08:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.38DE6FAC30940F73
2012-07-28 08:15 - 2012-07-28 08:15 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\myrxmvxi.sys
2012-07-28 08:12 - 2009-07-13 20:45 - 00015360 _____ C:\Windows\System32\umstartup.etl
2012-07-28 08:04 - 2012-07-28 08:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.172BBD110223368F
2012-07-28 08:04 - 2012-07-28 08:04 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\owcexuyr.sys
2012-07-28 07:59 - 2012-07-28 07:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.405EFD671CB8F251
2012-07-28 07:54 - 2012-07-28 07:54 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3693B1A7AFED27EC
2012-07-28 07:34 - 2012-07-28 07:34 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.951346DCDBA872F3
2012-07-27 21:23 - 2012-07-27 21:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C3644D9D734060AE
2012-07-27 21:23 - 2012-07-27 21:23 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\lzruwoyu.sys
2012-07-27 21:20 - 2012-07-27 21:20 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B3AB8E25AB8B22BB
2012-07-27 21:20 - 2012-07-27 21:20 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\poqmhoeu.sys
2012-07-27 21:16 - 2012-07-27 21:16 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4A905FE176945C27
2012-07-27 21:13 - 2012-07-27 21:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B67B10F0A9A1A0B5
2012-07-27 21:08 - 2012-07-27 21:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5F692F19524C682A
2012-07-27 21:02 - 2012-07-27 21:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0F95EDFB5E96CB6F
2012-07-27 20:56 - 2012-07-27 20:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D26A0ECECB18C9FE
2012-07-27 20:54 - 2012-07-27 20:54 - 00328704 ____A C:\Windows\System32\services.exe.43F88628C866BA16
2012-07-27 20:54 - 2012-07-27 20:54 - 00050392 ____A C:\Windows\System32\Drivers\xpnshgtv.sys
2012-07-27 20:49 - 2012-07-27 20:49 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4977342B3823FD67
2012-07-27 20:40 - 2012-07-27 20:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.92B1301A427864D2
2012-07-27 20:32 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-27 20:32 - 2009-07-13 20:45 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-27 20:31 - 2010-09-18 07:06 - 01678095 ____A C:\Windows\WindowsUpdate.log
2012-07-27 20:30 - 2012-03-09 06:30 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-27 20:30 - 2010-12-18 13:37 - 00797568 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-27 20:28 - 2012-07-27 20:27 - 12621696 ____A (Microsoft Corporation) C:\Users\Mr X\Downloads\mseinstall(1).exe
2012-07-27 19:51 - 2010-07-14 14:44 - 00034202 ____A C:\Windows\PFRO.log
2012-07-27 18:19 - 2011-11-19 19:20 - 00588800 __ASH C:\Users\Mr X\Desktop\Thumbs.db
2012-07-27 17:16 - 2012-07-27 17:15 - 12621696 ____A (Microsoft Corporation) C:\Users\Mr X\Downloads\mseinstall.exe
2012-07-27 10:16 - 2012-07-27 10:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-27 10:16 - 2012-07-27 10:15 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-27 10:15 - 2012-07-27 10:15 - 09821896 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Desktop\install_flash_player.exe
2012-07-27 10:14 - 2012-07-27 10:14 - 09230024 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Desktop\install_flash_player_ax.exe
2012-07-27 09:56 - 2012-07-27 09:56 - 00998720 ____A (Solid State Networks) C:\Users\Mr X\Downloads\install_flashplayer11x32_mssd_aih.exe
2012-07-27 09:54 - 2012-07-27 09:54 - 00686792 ____A (Adobe Systems Incorporated) C:\Users\Mr X\Downloads\uninstall_flash_player.exe
2012-07-27 00:41 - 2012-07-26 21:47 - 281693356 ____A C:\Users\Mr X\Downloads\Suits.S02E06.All.In.HDTV.x264-FQM.[VTV].mp4
2012-07-26 23:00 - 2012-07-26 21:53 - 283953378 ____A C:\Users\Mr X\Downloads\Warehouse.13.S04E01.A.New.Hope.HDTV.x264-FQM.[VTV].mp4
2012-07-26 22:34 - 2012-07-26 21:07 - 388545602 ____A C:\Users\Mr X\Downloads\Burn.Notice.S06E06.Shockwave.HDTV.x264-FQM.[VTV].mp4
2012-07-26 21:45 - 2012-07-26 21:04 - 469583008 ____A C:\Users\Mr X\Downloads\Line.Of.Duty.1x05.HDTV.x264-FoV.mp4
2012-07-26 08:53 - 2012-07-26 08:53 - 00000000 ____A C:\Windows\SysWOW64\sho67C2.tmp

 

[mrx64]

2012-07-11 15:02 - 2009-07-13 20:45 - 00273288 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 14:20 - 2010-12-05 19:51 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-08 11:46 - 2012-07-08 11:46 - 00000000 ____A C:\Windows\SysWOW64\sho57ED.tmp
2012-07-03 10:46 - 2011-04-12 14:16 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-11 19:02 - 2012-07-11 14:27 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 18:28 - 2012-06-11 18:28 - 00000013 ____A C:\Users\Mr X\Desktop\mini_form_state.txt
2012-06-08 21:30 - 2012-07-11 03:28 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:46 - 2012-07-11 03:28 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-08 15:26 - 2012-06-08 15:26 - 00000713 ____A C:\Users\Public\Desktop\FarmVilleBot Lite.lnk
2012-06-08 15:26 - 2012-06-08 15:26 - 00000688 ____A C:\Users\Public\Desktop\FarmVilleBot.lnk
2012-06-05 21:50 - 2012-07-11 03:28 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:50 - 2012-07-11 03:28 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:09 - 2012-07-11 03:28 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:09 - 2012-07-11 03:28 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2012-06-02 14:19 - 2012-06-21 05:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 05:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 05:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 05:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 05:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 05:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-21 05:35 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-21 05:35 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 14:19 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 14:19 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 14:19 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 14:19 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 14:19 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 14:19 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 14:19 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 14:19 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 14:19 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 14:19 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 14:19 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 14:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 14:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 14:19 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 14:19 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 14:19 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 14:19 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 14:19 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 14:19 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 14:19 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

 

[mrx64]

2012-06-02 00:21 - 2012-07-11 14:19 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 14:19 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 14:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 14:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 14:19 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 14:19 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 14:19 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:38 - 2012-07-11 03:26 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:38 - 2012-07-11 03:26 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:37 - 2012-07-11 03:26 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:27 - 2012-07-11 03:26 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:27 - 2012-07-11 03:26 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:48 - 2012-07-11 03:26 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:48 - 2012-07-11 03:26 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:47 - 2012-07-11 03:26 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:42 - 2012-07-11 03:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 09:02 - 2012-05-31 09:02 - 01203712 ____A () C:\Users\Mr X\Desktop\farmvillebot_lite.exe
2012-05-28 11:31 - 2012-05-28 11:31 - 00000000 ____A C:\Windows\setuperr.log
2012-05-26 18:55 - 2012-05-26 18:55 - 00001936 ____A C:\Users\Public\Desktop\DAEMON Tools Pro.lnk
2012-05-26 18:53 - 2012-05-26 18:53 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys

 

[mrx64]

2012-05-04 02:52 - 2012-06-13 04:01 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:08 - 2012-06-13 04:01 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:08 - 2012-06-13 04:01 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 21:32 - 2012-06-13 04:01 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
ZeroAccess:
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7}
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7}\@
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7}\L
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7}\U
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7}\U\00000001.@
ZeroAccess:
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7}
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7}\@
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7}\L
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7}\U
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7}\U\00000001.@
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 19%
Total physical RAM: 3764.5 MB
Available physical RAM: 3026.33 MB
Total Pagefile: 3762.64 MB
Available Pagefile: 3032.95 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (ACER) (Fixed) (Total:284.32 GB) (Free:26.4 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:13.67 GB) (Free:0.63 GB) NTFS
4 Drive g: () (Removable) (Total:0.96 GB) (Free:0.46 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 995 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 284 GB 13 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 13 GB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C ACER NTFS Partition 284 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 988 MB 31 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 988 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-18 17:48
======================= End Of Log ==========================

 

[mrx64]

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-29 18:08:44
Running from G:\
================== Search: "SERVICES.EXE" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-07-29 12:31] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
====== End Of Search ======

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[mrx64]

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-29 19:53:01 Run:1
Running from G:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\System32\services.exe.CC22E217DF6E7B49 moved successfully.
C:\Windows\System32\services.exe.83BA1B5EAF3610CC moved successfully.
C:\Windows\System32\services.exe.29E9B584FBB67A22 moved successfully.
C:\Windows\System32\services.exe.C7A544102529D20A moved successfully.
C:\Windows\System32\services.exe.7383C796829A7095 moved successfully.
C:\Windows\System32\services.exe.6636BFA1B7D86E8A moved successfully.
C:\Windows\System32\services.exe.B19FACD0A7E05A4C moved successfully.
C:\Windows\System32\services.exe.F81D221565F58D17 moved successfully.
C:\Windows\System32\services.exe.2CCE5DA957065402 moved successfully.
C:\Windows\System32\services.exe.AB66F481EF9C68AD moved successfully.
C:\Windows\System32\Drivers\bdoldlkx.sys moved successfully.
C:\Windows\System32\services.exe.3D746CBF47626180 moved successfully.
C:\Windows\System32\services.exe.A2D9BA179E396734 moved successfully.
C:\Windows\System32\services.exe.38DE6FAC30940F73 moved successfully.
C:\Windows\System32\services.exe.172BBD110223368F moved successfully.
C:\Windows\System32\Drivers\owcexuyr.sys moved successfully.
C:\Windows\System32\services.exe.405EFD671CB8F251 moved successfully.
C:\Windows\System32\services.exe.3693B1A7AFED27EC moved successfully.
C:\Windows\System32\services.exe.951346DCDBA872F3 moved successfully.
C:\Windows\System32\services.exe.C3644D9D734060AE moved successfully.
C:\Windows\System32\Drivers\lzruwoyu.sys moved successfully.
C:\Windows\System32\services.exe.B3AB8E25AB8B22BB moved successfully.
C:\Windows\System32\Drivers\poqmhoeu.sys moved successfully.
C:\Windows\System32\services.exe.4A905FE176945C27 moved successfully.
C:\Windows\System32\services.exe.B67B10F0A9A1A0B5 moved successfully.
C:\Windows\System32\services.exe.5F692F19524C682A moved successfully.
C:\Windows\System32\services.exe.0F95EDFB5E96CB6F moved successfully.
C:\Windows\System32\services.exe.D26A0ECECB18C9FE moved successfully.
C:\Windows\System32\services.exe.43F88628C866BA16 moved successfully.
C:\Windows\System32\Drivers\xpnshgtv.sys moved successfully.
C:\Windows\System32\services.exe.4977342B3823FD67 moved successfully.
C:\Windows\System32\services.exe.92B1301A427864D2 moved successfully.
C:\Windows\SysWOW64\sho57ED.tmp moved successfully.
C:\Windows\Installer\{db66d41c-2505-6c1d-f018-be2ca12caea7} moved successfully.
C:\Users\Mr X\AppData\Local\{db66d41c-2505-6c1d-f018-be2ca12caea7} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

 

[mrx64]

Ok to continue on with the other steps?

 

[Broni]

Yes. you don't have to ask

 

[mrx64]

combofix seems to have stalled...it says preparing log report and do not run any progs until it has finished...the weather bug gadget popped up and I clicked to close it but it all seems stalled?
do I need to re run?

 

[Broni]

If computer clock is running be patient.

 

[mrx64]

this is a stupid question I am sure... but how do you tell if the clock is running? all I see is the "waiting" cursor going in a circle

 

[Broni]

Don't you have a clock in the lower right corner of your screen?

 

[mrx64]

yes but the tool bar is locked and will not come up...the gadget on the desk top is still running...

 

[Broni]

Restart computer manually to safe mode and try again.

 

[mrx64]

ok.. so I restarted manually in safe mode..combofix ran... restarted pc... box pops up saying preparing report... do not run progs until combofix has finished... but it has been setting there over 10 min...clock is still running...?

 

[Broni]

Leave it on overnight.