Solved Win64/Sirefef.A infection

[despe666]

Hello, I have a Sirefef.A infection, MS malware scanner detects it but can't fix it. I have run a scan and a search for services.exe in FRST64 like explained in many threads and here are the scan and search results.

Thanks for your help

============

Scan result of Farbar Recovery Scan Tool Version: 28-06-2012 02
Ran by SYSTEM at 29-06-2012 09:23:14
Running from I:\
Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [WinSSHD Activation State Checker] "C:\Program Files (x86)\Bitvise WinSSHD\WinsshdActStateCheck.exe" [247464 2012-05-02] (Bitvise)
HKU\Administrator\...\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-27] (Google Inc.)
HKU\Administrator\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
Tcpip\..\Interfaces\{48C7F69C-AFE4-4CC3-A175-8A61947366DD}: [NameServer]207.164.234.129,207.164.234.193
Lsa: [Authentication Packages] msv1_0
vdspka10
Lsa: [Notification Packages] scecli
rassfm

==================== Services (Whitelisted) ======

2 AppHostSvc; C:\Windows\SysWow64\inetsrv\apphostsvc.dll [61440 2010-11-20] (Microsoft Corporation)
3 FCRegSvc; C:\Windows\System32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
2 FileMaker Server; "C:\Program Files (x86)\FileMaker\FileMaker Server\Database Server\fmshelper.exe" [225096 2010-06-02] (FileMaker, Inc.)
3 RSoPProv; C:\Windows\System32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
3 sacsvr; C:\Windows\System32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
3 WAS; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 WinSSHD; "C:\Program Files (x86)\Bitvise WinSSHD\WinSSHD.exe" [5755088 2012-05-02] (Bitvise)
2 WinVNC4; "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service [2360048 2011-08-18] (RealVNC Ltd)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
3 MRxDAV; C:\Windows\SysWow64\Drivers\MRxDAV.sys [115712 2010-11-20] (Microsoft Corporation)
0 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
1 skzbcqnm; C:\Windows\System32\Drivers\skzbcqnm.sys [50392 2012-06-28] (Microsoft Corporation)
3 storvsp; C:\Windows\System32\Drivers\storvsp.sys [120320 2011-12-01] (Microsoft Corporation)
3 Vid; C:\Windows\System32\Drivers\Vid.sys [181760 2010-11-20] (Microsoft Corporation)
3 vncmirror; C:\Windows\System32\Drivers\vncmirror.sys [4608 2011-08-18] (RealVNC Ltd.)

========================== NetSvcs (Whitelisted) ===========

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

============ One Month Created Files and Folders ==============

2012-06-28 09:54 - 2012-06-28 09:54 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\skzbcqnm.sys
2012-06-28 09:54 - 2012-06-28 09:54 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-06-28 08:39 - 2012-06-28 08:39 - 00000000 ____D C:\Program Files (x86)\WinSCP
2012-06-28 08:38 - 2012-06-28 08:38 - 03390816 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp438setup-sponsored.exe
2012-06-28 08:37 - 2008-11-27 12:05 - 00002719 ____A C:\Users\Administrator\Documents\ML.ppk
2012-06-28 07:02 - 2012-06-28 07:02 - 00000000 ____D C:\Program Files\ESET
2012-06-28 07:01 - 2012-06-28 07:01 - 01018311 ____A
2012-06-28 06:47 - 2012-06-28 06:48 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-28 06:47 - 2012-06-28 06:48 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-28 06:46 - 2012-06-28 06:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\Administrator\Downloads\spybotsd162.exe
2012-06-28 06:40 - 2012-06-28 06:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D518A6B492EF0B01
2012-06-28 06:22 - 2012-06-28 06:22 - 00000000 ____D C:\WINSSLog
2012-06-28 06:21 - 2012-06-28 06:21 - 00756776 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\OneCareCleanup.exe
2012-06-28 06:18 - 2012-06-28 06:18 - 00689664 ____A C:\Users\Administrator\Downloads\MicrosoftFixit50202.msi
2012-06-28 06:12 - 2012-06-28 06:25 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\FxsTmp
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\clients
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\addins
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-28 06:05 - 2012-04-04 11:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 06:04 - 2012-06-28 06:04 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-28 06:02 - 2012-06-28 06:04 - 71499296 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\msert.exe
2012-06-28 05:14 - 2012-06-28 05:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-28 05:14 - 2012-06-28 05:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-28 05:14 - 2012-06-28 05:14 - 00000000 ____D C:\Windows\System32\Macromed
2012-06-27 20:44 - 2012-06-27 20:44 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2012-06-13 23:02 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 23:02 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 23:02 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 23:02 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 23:02 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 23:02 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 23:02 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 23:02 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 23:02 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 23:02 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 23:02 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 23:02 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 23:02 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 23:02 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 23:02 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 23:02 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 23:02 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 23:02 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 23:02 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 23:02 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 23:02 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 23:02 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 23:02 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 23:02 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 23:02 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 23:02 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 23:02 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 23:02 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 13:44 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-13 13:44 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-13 13:44 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-13 13:44 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-13 13:44 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-13 13:44 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-13 13:44 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-13 13:44 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-13 07:23 - 2012-06-13 07:23 - 00000000 ___AH C:\Users\mil\Documents\Default.rdp
2012-06-08 17:25 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-08 17:25 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-08 17:25 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-08 17:25 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-08 17:25 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-08 17:25 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-08 17:25 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-08 17:25 - 2012-06-02 11:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-08 17:25 - 2012-06-02 11:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-06 23:00 - 2012-06-06 23:00 - 00290864 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-06-06 23:00 - 2012-06-06 23:00 - 00288246 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-06-06 23:00 - 2012-06-06 23:00 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2012-06-05 16:20 - 2012-06-05 16:20 - 00001488 ____A C:\Users\mil\Desktop\steve.ppk
2012-06-05 09:46 - 2012-06-05 09:46 - 00000101 ____A C:\Users\Administrator\AppData\Local\fusioncache.dat
2012-06-05 09:46 - 2012-06-05 09:46 - 00000000 ____A C:\Windows\regset.INI
2012-06-05 09:38 - 2012-06-05 09:38 - 00000000 ____D C:\MetaStock Data
2012-06-05 09:38 - 2006-04-06 05:28 - 00671835 ____A (Equis International) C:\Windows\SysWOW64\OLVI92.dll
2012-06-05 09:38 - 2006-04-06 05:20 - 00036864 ____A (Equis International) C:\Windows\SysWOW64\EqCCWrapper.dll
2012-06-05 09:38 - 2006-04-06 05:15 - 00204872 ____A (Equis International) C:\Windows\SysWOW64\msfl92.dll
2012-06-05 09:38 - 2006-04-06 04:59 - 00217166 ____A (Equis International) C:\Windows\SysWOW64\EqNotify.dll
2012-06-05 09:38 - 2006-04-06 04:30 - 00207360 ____A (LEAD Technologies, Inc.) C:\Windows\SysWOW64\LTKRN61N.DLL
2012-06-05 09:38 - 2006-04-06 04:30 - 00158720 ____A C:\Windows\SysWOW64\LFCMP61N.DLL
2012-06-05 09:38 - 2006-04-06 04:30 - 00110080 ____A C:\Windows\SysWOW64\Lfpng61n.dll
2012-06-05 09:38 - 2006-04-06 04:30 - 00043008 ____A C:\Windows\SysWOW64\LTFIL61N.DLL
2012-06-05 09:38 - 2002-02-27 23:03 - 02586112 ____N (Steema Software SL) C:\Windows\SysWOW64\TeeChart5.ocx
2012-06-05 09:38 - 2002-02-03 23:43 - 00044544 ____N (Microsoft Corporation) C:\Windows\SysWOW64\msxml4a.dll
2012-06-05 09:38 - 1999-12-02 15:26 - 00030720 ____N (Forefront, Incorporated) C:\Windows\SysWOW64\ffJmpWeb.dll
2012-06-05 09:38 - 1999-04-15 11:58 - 00017920 ____N C:\Windows\SysWOW64\IMPLODE.DLL
2012-06-05 09:38 - 1998-12-17 06:30 - 00164864 ____N C:\Windows\SysWOW64\patchw32.dll
2012-06-05 09:38 - 1998-12-10 14:00 - 00519680 ____N (FarPoint Technologies, Inc.) C:\Windows\SysWOW64\SS32D25.DLL
2012-06-05 09:38 - 1998-05-07 11:01 - 00028160 ____N (Equis International) C:\Windows\SysWOW64\MetaStockShellExtension.dll
2012-06-05 09:38 - 1996-09-12 13:18 - 00017920 ____N C:\Windows\SysWOW64\MSWTHK32.DLL
2012-06-05 09:38 - 1996-09-12 13:18 - 00003360 ____N C:\Windows\SysWOW64\MSWTHK16.DLL
2012-06-05 09:32 - 2012-06-05 09:38 - 00000000 ____D C:\Program Files (x86)\Equis
2012-06-05 09:32 - 2012-06-05 09:32 - 00002032 ____A C:\Users\Public\Desktop\QuoteCenter.lnk
2012-06-05 09:32 - 1998-10-02 16:00 - 00327168 ____A (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2012-06-05 09:24 - 2012-06-05 09:30 - 254958592 ____A C:\Users\Administrator\Downloads\MSQuoteCenter92ProBundle.exe
2012-06-05 08:39 - 2012-06-05 08:39 - 00000000 ____D C:\Users\574311\AppData\Local\Reuters
2012-06-05 08:20 - 2012-06-13 07:08 - 00000600 ____A C:\Users\mil\AppData\Local\PUTTY.RND
2012-06-05 08:14 - 2012-06-05 08:14 - 00001482 ____A C:\Users\mil\Desktop\mil.ppk
2012-06-05 06:47 - 2012-06-05 06:47 - 00109648 ____A C:\Users\nova\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-05 06:46 - 2012-06-05 06:46 - 00000020 ___SH C:\Users\nova\ntuser.ini
2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\Users\nova\AppData\Local\VirtualStore
2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\users\nova
2012-06-04 05:54 - 2012-06-04 05:54 - 00002591 ____A C:\Users\Administrator\Downloads\admin_console_webstart.jnlp
2012-06-04 05:22 - 2012-06-04 05:22 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker Pro Advanced
2012-06-04 05:18 - 2012-06-04 05:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\FileMaker
2012-06-04 05:17 - 2012-06-04 05:17 - 00000000 ____D C:\Users\Administrator\Downloads\FMaker base 120601
2012-06-04 05:15 - 2012-06-04 05:15 - 05272019 ____A C:\Users\Administrator\Downloads\FMaker base 120601.rar


============ 3 Months Modified Files and Folders =============

2012-06-29 09:23 - 2012-06-29 09:23 - 00000000 ____D C:\FRST
2012-06-29 05:16 - 2012-04-27 21:02 - 01648170 ____A C:\Windows\WindowsUpdate.log
2012-06-29 04:55 - 2012-04-27 22:50 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963425265-891932126-2020456833-500UA.job
2012-06-28 22:55 - 2012-04-27 22:50 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-963425265-891932126-2020456833-500Core.job
2012-06-28 12:12 - 2012-05-28 09:09 - 00000600 ____A C:\Users\Administrator\AppData\Roaming\winscp.rnd
2012-06-28 12:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-06-28 09:54 - 2012-06-28 09:54 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\skzbcqnm.sys
2012-06-28 09:54 - 2012-06-28 09:54 - 00000000 ____D C:\Windows\System32\MpEngineStore
2012-06-28 08:39 - 2012-06-28 08:39 - 00000000 ____D C:\Program Files (x86)\WinSCP
2012-06-28 08:38 - 2012-06-28 08:38 - 03390816 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp438setup-sponsored.exe
2012-06-28 07:09 - 2012-06-28 06:47 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-06-28 07:02 - 2012-06-28 07:02 - 00000000 ____D C:\Program Files\ESET
2012-06-28 06:48 - 2012-06-28 06:47 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-06-28 06:48 - 2009-07-13 21:10 - 00831824 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-28 06:47 - 2009-07-13 20:49 - 00025056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-28 06:47 - 2009-07-13 20:49 - 00025056 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-28 06:46 - 2012-06-28 06:46 - 16409960 ____A (Safer Networking Limited ) C:\Users\Administrator\Downloads\spybotsd162.exe
2012-06-28 06:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2012-06-28 06:42 - 2012-05-02 08:44 - 00000266 ____A C:\Windows\Tasks\AutoKMS.job
2012-06-28 06:41 - 2009-07-13 21:06 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-28 06:40 - 2012-06-28 06:40 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D518A6B492EF0B01
2012-06-28 06:25 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-06-28 06:25 - 2010-11-20 19:47 - 00010984 ____A C:\Windows\PFRO.log
2012-06-28 06:22 - 2012-06-28 06:22 - 00000000 ____D C:\WINSSLog
2012-06-28 06:21 - 2012-06-28 06:21 - 00756776 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\OneCareCleanup.exe
2012-06-28 06:18 - 2012-06-28 06:18 - 00689664 ____A C:\Users\Administrator\Downloads\MicrosoftFixit50202.msi
2012-06-28 06:16 - 2011-12-07 05:28 - 00840662 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\FxsTmp
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\SysWOW64\clients
2012-06-28 06:12 - 2012-06-28 06:12 - 00000000 ____D C:\Windows\addins
2012-06-28 06:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2012-06-28 06:05 - 2012-06-28 06:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-28 06:04 - 2012-06-28 06:04 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-28 06:04 - 2012-06-28 06:02 - 71499296 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\msert.exe
2012-06-28 05:58 - 2012-04-28 08:34 - 00002170 ____A C:\Windows\epplauncher.mif
2012-06-28 05:53 - 2009-07-13 21:07 - 00000000 ____D C:\Windows\System32\ServerManager
2012-06-28 05:14 - 2012-06-28 05:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-28 05:14 - 2012-06-28 05:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-28 05:14 - 2012-06-28 05:14 - 00000000 ____D C:\Windows\System32\Macromed
2012-06-27 20:44 - 2012-06-27 20:44 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2012-06-27 04:13 - 2012-05-29 04:06 - 00000000 ____D C:\ua
2012-06-15 08:57 - 2012-05-24 11:09 - 00002002 ___AH C:\Users\Administrator\Documents\Default.rdp
2012-06-13 23:23 - 2009-07-13 20:49 - 00408248 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 23:03 - 2011-12-07 03:41 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-13 07:44 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2012-06-13 07:23 - 2012-06-13 07:23 - 00000000 ___AH C:\Users\mil\Documents\Default.rdp
2012-06-13 07:08 - 2012-06-05 08:20 - 00000600 ____A C:\Users\mil\AppData\Local\PUTTY.RND
2012-06-12 05:17 - 2012-04-27 22:50 - 00002334 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
2012-06-06 23:00 - 2012-06-06 23:00 - 00290864 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-06-06 23:00 - 2012-06-06 23:00 - 00288246 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-06-06 23:00 - 2012-06-06 23:00 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2012-06-06 17:57 - 2012-05-28 12:27 - 00000284 ____A C:\Windows\ODBC.INI
2012-06-05 16:20 - 2012-06-05 16:20 - 00001488 ____A C:\Users\mil\Desktop\steve.ppk
2012-06-05 13:22 - 2012-05-28 12:04 - 00000000 ____D C:\Users\574311\AppData\Local\VirtualStore
2012-06-05 09:46 - 2012-06-05 09:46 - 00000101 ____A C:\Users\Administrator\AppData\Local\fusioncache.dat
2012-06-05 09:46 - 2012-06-05 09:46 - 00000000 ____A C:\Windows\regset.INI
2012-06-05 09:38 - 2012-06-05 09:38 - 00000000 ____D C:\MetaStock Data
2012-06-05 09:38 - 2012-06-05 09:32 - 00000000 ____D C:\Program Files (x86)\Equis
2012-06-05 09:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Registration
2012-06-05 09:32 - 2012-06-05 09:32 - 00002032 ____A C:\Users\Public\Desktop\QuoteCenter.lnk
2012-06-05 09:30 - 2012-06-05 09:24 - 254958592 ____A C:\Users\Administrator\Downloads\MSQuoteCenter92ProBundle.exe
2012-06-05 08:39 - 2012-06-05 08:39 - 00000000 ____D C:\Users\574311\AppData\Local\Reuters
2012-06-05 08:14 - 2012-06-05 08:14 - 00001482 ____A C:\Users\mil\Desktop\mil.ppk
2012-06-05 06:47 - 2012-06-05 06:47 - 00109648 ____A C:\Users\nova\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-05 06:46 - 2012-06-05 06:46 - 00000020 ___SH C:\Users\nova\ntuser.ini
2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\Users\nova\AppData\Local\VirtualStore
2012-06-05 06:46 - 2012-06-05 06:46 - 00000000 ____D C:\users\nova
2012-06-04 05:54 - 2012-06-04 05:54 - 00002591 ____A C:\Users\Administrator\Downloads\admin_console_webstart.jnlp
2012-06-04 05:22 - 2012-06-04 05:22 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker Pro Advanced
2012-06-04 05:18 - 2012-06-04 05:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\FileMaker
2012-06-04 05:17 - 2012-06-04 05:17 - 00000000 ____D C:\Users\Administrator\Downloads\FMaker base 120601
2012-06-04 05:15 - 2012-06-04 05:15 - 05272019 ____A C:\Users\Administrator\Downloads\FMaker base 120601.rar
2012-06-02 14:19 - 2012-06-08 17:25 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 17:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 17:25 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 17:25 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 17:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 17:25 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 17:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-08 17:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-08 17:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-31 12:14 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Windows\CSC
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Portable Devices
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files\Windows Defender
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-05-29 23:16 - 2012-05-29 23:16 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2012-05-29 23:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system
2012-05-29 23:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2012-05-29 06:12 - 2012-05-29 06:12 - 00000000 ____D C:\Users\mil\.swiskeyexecution
2012-05-29 06:12 - 2012-05-29 04:28 - 00000000 ____D C:\users\mil
2012-05-29 06:08 - 2012-05-29 06:08 - 00001542 ____A C:\Users\mil\Desktop\certif.pfx
2012-05-29 05:51 - 2012-05-29 05:51 - 00000000 ____D C:\Users\Administrator\.swiskeyexecution
2012-05-29 05:51 - 2012-04-27 21:01 - 00000000 ____D C:\users\Administrator
2012-05-29 05:46 - 2012-05-29 05:46 - 00002191 ____A C:\Users\Public\Desktop\SwisKey Execution Launcher 1.0.3.lnk
2012-05-29 05:46 - 2012-05-29 05:46 - 00000000 ____D C:\Program Files (x86)\SwisKey Execution (EXTERNAL)
2012-05-29 05:20 - 2012-05-29 05:20 - 00000000 ____A C:\Users\mil\Desktop\SKELauncher_exe.zc8itrk.partial
2012-05-29 04:28 - 2012-05-29 04:28 - 00109648 ____A C:\Users\mil\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-29 04:28 - 2012-05-29 04:28 - 00000020 ___SH C:\Users\mil\ntuser.ini
2012-05-29 04:28 - 2012-05-29 04:28 - 00000000 ____D C:\Users\mil\AppData\Local\VirtualStore
2012-05-29 04:16 - 2012-05-29 04:16 - 00001650 ____A C:\Users\Administrator\Desktop\CSI EZ Downloader.lnk
2012-05-29 04:16 - 2012-05-29 04:16 - 00001645 ____A C:\Users\Administrator\Desktop\CSI Position Manager.lnk
2012-05-29 04:16 - 2012-05-29 04:16 - 00001601 ____A C:\Users\Administrator\Desktop\Launch UA.lnk
2012-05-29 04:16 - 2012-05-29 04:06 - 00011894 ____A C:\Windows\SysWOW64\uainstalldll.log
2012-05-29 04:06 - 2012-05-29 04:06 - 00000029 ____A C:\Windows\ua.ini
2012-05-28 16:41 - 2012-05-28 15:15 - 2020993004 ____A C:\Users\Administrator\Downloads\Ua2107SCO.exe
2012-05-28 12:04 - 2012-05-28 12:04 - 00109648 ____A C:\Users\574311\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-28 12:04 - 2012-05-28 12:04 - 00000020 ___SH C:\Users\574311\ntuser.ini
2012-05-28 12:04 - 2012-05-28 12:04 - 00000000 ____D C:\users\574311
2012-05-28 09:08 - 2012-05-28 09:08 - 03401768 ____A (Martin Prikryl ) C:\Users\Administrator\Downloads\winscp507setup.exe
2012-05-27 18:04 - 2012-05-27 18:04 - 00000000 ____D C:\Users\Administrator\Desktop\Clés Award
2012-05-17 18:47 - 2012-06-13 23:02 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 23:02 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 23:02 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 23:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 23:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 23:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 23:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 23:02 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 23:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 23:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 23:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 23:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 23:02 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 23:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 23:02 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 23:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 23:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 23:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 23:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 23:02 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 23:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 23:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 23:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 23:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-16 21:10 - 2012-05-16 21:10 - 00000020 __ASH C:\Users\Classic .NET AppPool\ntuser.ini
2012-05-16 21:10 - 2012-05-16 21:10 - 00000000 ____D C:\users\Classic .NET AppPool
2012-05-16 21:10 - 2012-05-16 21:09 - 00082771 ____A C:\Windows\iis7.log
2012-05-16 21:08 - 2012-05-16 21:08 - 00000000 ____D C:\Windows\SysWOW64\BestPractices
2012-05-16 21:08 - 2012-05-16 21:08 - 00000000 ____D C:\inetpub
2012-05-16 21:08 - 2010-11-20 21:45 - 00000000 ____D C:\Windows\System32\0409
2012-05-16 21:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2012-05-16 20:52 - 2012-05-16 20:52 - 00000020 ___SH C:\Users\WinSSHD_VirtualUsers\ntuser.ini
2012-05-16 20:48 - 2012-05-16 20:49 - 00000814 ____A C:\Users\Administrator\Desktop\MLPub
2012-05-16 20:46 - 2012-05-16 20:46 - 00000000 ____D C:\Program Files (x86)\PuTTY
2012-05-16 20:45 - 2012-05-16 20:45 - 01857592 ____A (Simon Tatham ) C:\Users\Administrator\Downloads\putty-2012-05-17-installer.exe
2012-05-16 20:45 - 2012-05-16 20:45 - 01849240 ____A (Simon Tatham ) C:\Users\Administrator\Downloads\putty-0.62-installer.exe
2012-05-14 17:32 - 2012-06-13 13:44 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-04 03:06 - 2012-06-13 13:44 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 13:44 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 13:44 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-03 08:16 - 2009-07-13 20:56 - 00026787 ____A C:\Windows\setupact.log
2012-05-02 19:52 - 2012-05-02 19:50 - 00000000 ____D C:\Program Files (x86)\Bitvise WinSSHD
2012-05-02 19:49 - 2012-05-02 19:49 - 00000000 ____D C:\Windows\System32\appmgmt
2012-05-02 19:48 - 2012-05-02 19:48 - 05493488 ____A C:\Users\Administrator\Downloads\WinSSHD5-Inst.exe
2012-05-02 18:54 - 2012-05-02 18:54 - 05073240 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\vcredist_x86.exe
2012-05-02 18:53 - 2012-05-02 18:53 - 05718872 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\vcredist_x64.exe
2012-05-02 18:53 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-05-02 18:50 - 2012-05-02 18:50 - 00000000 ____D C:\Program Files\VanDyke Software
2012-05-02 18:49 - 2012-05-02 18:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Downloaded Installations
2012-05-02 18:40 - 2012-05-02 18:40 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-05-02 18:40 - 2012-05-02 18:40 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-05-02 18:40 - 2012-05-02 18:40 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-05-02 18:40 - 2012-05-02 18:40 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-05-02 18:40 - 2012-05-02 18:40 - 00000000 ____D C:\Sun
2012-05-02 18:40 - 2012-05-02 18:40 - 00000000 ____D C:\Program Files (x86)\Java
2012-05-02 18:40 - 2012-05-02 10:15 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-05-02 18:29 - 2012-05-02 08:44 - 00000000 ____D C:\Windows\AutoKMS
2012-05-02 18:20 - 2012-05-02 18:20 - 00000000 ____D C:\Program Files\RealVNC
2012-05-02 18:17 - 2012-05-02 18:17 - 06038200 ____A (RealVNC Ltd ) C:\Users\Administrator\Downloads\vnc-E4_6_3-x86_x64_win32.exe
2012-05-02 18:14 - 2012-05-02 18:14 - 00741744 ____A (RealVNC Ltd. ) C:\Users\Administrator\Downloads\vnc-4_1_3-x86_win32.exe
2012-05-02 18:12 - 2012-05-02 18:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Leadertech
2012-05-02 18:10 - 2012-05-02 18:10 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FileMaker
2012-05-02 18:10 - 2012-05-02 17:57 - 00000000 ____D C:\Program Files (x86)\FileMaker
2012-05-02 18:03 - 2012-04-27 21:02 - 00109648 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-02 17:58 - 2012-05-02 17:58 - 00002505 ____A C:\Users\Administrator\Downloads\admin_console_init_webstart.jnlp
2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Users\All Users\Apple
2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Program Files\Bonjour
2012-05-02 10:16 - 2012-05-02 10:16 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-05-02 10:15 - 2012-05-02 10:15 - 00000000 ____D C:\Users\All Users\Sun
2012-05-02 07:50 - 2012-05-02 07:43 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-02 07:46 - 2012-05-02 07:46 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2012-05-02 07:46 - 2012-05-02 07:43 - 00000000 ____D C:\Windows\SHELLNEW
2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Windows\PCHEALTH
2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Program Files\Microsoft Sync Framework
2012-05-02 07:45 - 2012-05-02 07:45 - 00000000 ____D C:\Program Files (x86)\MSBuild
2012-05-02 07:45 - 2012-05-02 07:43 - 00000000 ____D C:\Program Files\Microsoft Office
2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Visual Studio 8
2012-05-02 07:44 - 2012-05-02 07:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 __RHD C:\MSOCache
2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2012-05-02 07:43 - 2012-05-02 07:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2012-04-28 09:46 - 2012-04-28 07:55 - 00001318 ____A C:\Windows\ntbackup.ini
2012-04-28 07:58 - 2005-07-01 08:34 - 00000000 ____D C:\C
2012-04-28 07:56 - 2012-04-28 07:56 - 00000000 ____D C:\Users\All Users\Microsoft Forefront
2012-04-28 07:54 - 2012-04-28 07:54 - 00684193 ____A C:\Users\Administrator\Downloads\Windows6.1-KB974674-x64.msu
2012-04-28 07:50 - 2012-04-28 07:50 - 00907264 ____A C:\Users\Administrator\Downloads\NtBackupRestore_Win64.msi
2012-04-28 07:50 - 2012-04-28 07:50 - 00000000 ____D C:\Users\All Users\Windows Genuine Advantage
2012-04-28 07:49 - 2012-04-28 07:49 - 01528184 ____A (Microsoft Corporation) C:\Users\Administrator\Downloads\GenuineCheck.exe
2012-04-28 07:30 - 2012-04-28 07:30 - 00000000 ____D C:\Program Files (x86)\Elaborate Bytes
2012-04-28 07:29 - 2012-04-28 07:29 - 01587696 ____A C:\Users\Administrator\Downloads\SetupVirtualCloneDrive5.exe
2012-04-28 00:56 - 2009-07-13 21:42 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-04-28 00:56 - 2009-07-13 21:37 - 00262144 ____A C:\Windows\System32\config\BCD-Template
2012-04-27 23:06 - 2012-04-27 23:06 - 00000000 ____D C:\Program Files\7-Zip
2012-04-27 23:05 - 2012-04-27 23:05 - 01376768 ____A C:\Users\Administrator\Downloads\7z920-x64.msi
2012-04-27 23:00 - 2012-04-27 23:00 - 00000000 ____D C:\Program Files (x86)\Dell Wireless
2012-04-27 23:00 - 2012-04-27 21:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-27 22:55 - 2012-04-27 21:23 - 00000000 ____D C:\Program Files (x86)\Intel
2012-04-27 22:54 - 2012-04-27 22:54 - 04176888 ____A C:\Users\Administrator\Downloads\Intel_Management-Engine-Inte_A01_R301322.exe
2012-04-27 22:53 - 2012-04-27 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2012-04-27 22:53 - 2012-04-27 22:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Deployment
2012-04-27 22:50 - 2012-04-27 22:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Apps\2.0
2012-04-27 22:46 - 2012-04-27 22:46 - 00000000 ____A C:\Users\Administrator\Downloads\ChromeSetup_exe.u1wqa93.partial
2012-04-27 21:32 - 2012-04-27 21:32 - 00000000 ____D C:\Program Files (x86)\Realtek
2012-04-27 21:23 - 2012-04-27 21:23 - 00000000 ____D C:\Intel
2012-04-27 21:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-04-27 21:13 - 2012-04-27 21:13 - 00000000 ____D C:\Users\All Users\Dell
2012-04-27 21:13 - 2012-04-27 21:13 - 00000000 ____D C:\dell
2012-04-27 21:01 - 2012-04-27 21:01 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2012-04-27 21:00 - 2011-12-07 03:34 - 00000000 __SHD C:\Recovery
2012-04-27 21:00 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2012-04-27 20:59 - 2011-12-07 03:30 - 00003652 ____A C:\Windows\TSSysprep.log
2012-04-27 20:59 - 2011-12-07 03:27 - 00000000 ____D C:\Windows\Panther
2012-04-27 20:59 - 2009-07-13 20:59 - 00049607 ____A C:\Windows\SysWOW64\license.rtf
2012-04-27 20:59 - 2009-07-13 20:59 - 00049607 ____A C:\Windows\System32\license.rtf
2012-04-27 20:59 - 2009-07-13 20:49 - 00004059 ____A C:\Windows\DtcInstall.log
2012-04-27 19:55 - 2012-06-13 13:44 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 21:41 - 2012-06-13 13:44 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-13 13:44 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-13 13:44 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-12 10:45 - 2012-04-12 10:45 - 00252304 ____A (VanDyke Software, Inc.) C:\Windows\System32\vdspka10.dll
2012-04-04 11:56 - 2012-06-28 06:05 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

ZeroAccess:
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\00000004.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\201d3dde
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\L\55490ac4
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000004.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000008.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\000000cb.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000000.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000032.@
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000064.@

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4008.64 MB
Available physical RAM: 3430.57 MB
Total Pagefile: 4006.84 MB
Available Pagefile: 3419.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:488.28 GB) (Free:459.42 GB) NTFS
2 Drive d: () (Fixed) (Total:0.04 GB) (Free:0.04 GB) FAT
3 Drive f: () (Fixed) (Total:428.38 GB) (Free:301.35 GB) NTFS
6 Drive I: () (Removable) (Total:15.01 GB) (Free:14.6 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.85 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 488 GB 14 GB
Partition 4 Primary 428 GB 503 GB

======================================================================================================

Disk: 0
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D FAT Partition 39 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y RECOVERY NTFS Partition 14 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 488 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F NTFS Partition 428 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 31 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I FAT32 Removable 15 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-27 20:44

======================= End Of Log ==========================

Here is the result of search for services.exe:

Farbar Recovery Scan Tool Version: 28-06-2012 02
Ran by SYSTEM at 2012-06-29 09:24:38
Running from I:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[despe666]

Hello. Here is the fixlog file. I was unable to run combofix, I'm getting a message that it is not meant for servers (this is a Windows 2008r2 box). Thanks

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 28-06-2012 02
Ran by SYSTEM at 2012-06-29 16:28:02 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
C:\Windows\System32\consrv.dll not found.
skzbcqnm service deleted successfully.
C:\Windows\System32\Drivers\skzbcqnm.sys not found.
C:\Windows\System32\services.exe.D518A6B492EF0B01 moved successfully.
C:\Windows\Installer\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

 

[Broni]

That's a bit of a problem because we don't have too many tools for servers.

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

 

[despe666]

Here's the MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.30.01

Windows Server 2008 R2 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: SERVEURAOP [administrator]

30/06/2012 1:23:26 AM
mbam-log-2012-06-30 (01-23-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 305642
Time elapsed: 1 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Broni]

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[despe666]

Results of screen317's Security Check version 0.99.24
x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Java(TM) 6 Update 32
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

 

[despe666]

Farbar Service Scanner Version: 25-06-2012 01
Ran by Administrator (administrator) on 01-07-2012 at 00:26:14
Running from "C:\Users\Administrator\Downloads"
Microsoft Windows Server 2008 R2 Enterprise Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Firewall Disabled Policy:
==================
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
System Restore Disabled Policy:
========================
Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.
C:\Windows\System32\vssvc.exe => MD5 is legit
ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****

 

[despe666]

C:\FRST\Quarantine\services.exeWin64/Patched.A.Gen trojandeleted - quarantined
C:\FRST\Quarantine\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\00000008.@Win64/Agent.BA trojancleaned by deleting - quarantined
C:\FRST\Quarantine\{fb40cb3f-cfa9-65de-7eb1-7f9877b57deb}\U\80000000.@Win64/Sirefef.AE trojancleaned by deleting - quarantined
D:\Mil\My Documents\My Received Files\flash 5.zipprobably a variant of Win32/Agent.NJOBVXP trojandeleted - quarantined

 

[Broni]

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

=====================================================

Now....we have some system files and some registry keys missing.

Let's start with files...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  wscsvc.dll
  SDRSVC.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[despe666]

SystemLook 30.07.11 by jpshortstuff
Log created at 01:18 on 02/07/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "wscsvc.dll"
No files found.

Searching for "SDRSVC.dll"
No files found.

-= EOF =-

 

[Broni]

Do you have Windows CD for your OS?

 

[despe666]

Yes I do

 

[Broni]

Search that DVD for those two missing files:
wscsvc.dll
SDRSVC.dll

They're probably compressed so search for:

wscsvc.*
SDRSVC.*

 

[despe666]

I couldn't find either file on the DVD. I ran FSS on another Windows 2008 r2 box that is clean as far as I know and the same files were missing.

 

[Broni]

I see.
I'm not very familiar with server OS.
Possibly my tools (mostly designed for regular Windows versions) are misreading something.

Are you having any current issues?

 

[despe666]

It looks good for now. My Windows Firewall installation was wiped but I was able to restore it. I was also able to reinstall my AV software (Forefront), which failed when I was infected. It updated and scanned and found nothing.

Thank you very much for your help.

 

[Broni]

Make sure you reset restore points.
Turn system restore off.
Restart computer.
Turn system restore on.

Way to go!!

Good luck and stay safe