David Summers
Posts: 16 +1
I don't know how long my machine has been infected, but it had been behaving strangely in the days, maybe weeks prior to an actual diagnosis of the sirefef.y Trojan - ie playing strange music at times when I was online, and video camera malfunction. When I discovered that my Windows Security Essentials wouldn't function, I downloaded the current version and got it running. It wasn't long, however, when I fell into a loop whereby the computer would find the virus and then force restart after about a minute... which was never long enough to clean the virus. Initially it was the sirefef.w Trojan, but it appears that security essentials caught and cleaned that one... Now it's the y version, and I have had no success trying to isolate it and close it out in task manager prior to forced restart. Additionally, I have downloaded Malwarebytes’ Anti-Malware, GMER and DDS, and have started the scanning process multiple times with all three individually, as well as Microsoft Security Essentials – but none are able to finish the process before the virus does its thing – even in safe mode. Even DDS which isn’t supposed to take longer than 3 minutes has no time to complete its processes.
Any assistance would be appreciated.
Below is the log generated by the Farbar recovery scan tool:
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 21-08-2012 06:52:00
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [368640 2010-01-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-06-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [385560 2009-06-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365080 2009-06-30] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-24] (Ask)
HKU\David Summers\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-18] (Google Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\..\Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: [NameServer]66.174.92.14 69.78.235.35
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Services (Whitelisted) ======
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)
========================== Drivers (Whitelisted) =============
3 PTUMWBus; C:\Windows\System32\Drivers\PTUMWBus.sys [70928 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWCDF; C:\Windows\System32\Drivers\PTUMWCDF.sys [24976 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWCSP; C:\Windows\System32\Drivers\PTUMWCSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWFLT; C:\Windows\System32\Drivers\PTUMWFLT.sys [12688 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWMdm; C:\Windows\System32\Drivers\PTUMWMdm.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWNET; C:\Windows\System32\Drivers\PTUMWNET.sys [143888 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWNSP; C:\Windows\System32\Drivers\PTUMWNSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWVsp; C:\Windows\System32\Drivers\PTUMWVsp.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-05-25] (Smith Micro Inc.)
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\Application Data\Malwarebytes
2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-17 12:35 - 2012-07-03 15:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-17 12:32 - 2012-08-17 12:07 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com
2012-08-17 12:32 - 2012-08-17 12:07 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe
2012-08-17 12:31 - 2012-08-17 12:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-16 09:36 - 2012-08-21 08:17 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log
2012-08-16 09:36 - 2012-08-16 09:23 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe
2012-08-16 09:32 - 2012-08-16 09:26 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe
2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-08-15 17:02 - 2012-08-15 17:03 - 00000000 ____D C:\FRST
2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat
2012-08-13 12:34 - 2012-08-13 12:34 - 00000000 __SHD C:\found.000
2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-12 04:16 - 2012-08-12 20:37 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-12 04:16 - 2012-08-12 04:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-12 04:07 - 2012-08-12 04:07 - 00000000 ____D C:\Users\David Summers\Desktop\Court
2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\My Documents\Dell WebCam Central
2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\Documents\Dell WebCam Central
2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\Application Data\Creative
2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Creative
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk
============ 3 Months Modified Files ========================
2012-08-21 08:28 - 2009-07-13 23:51 - 00072444 ____A C:\Windows\setupact.log
2012-08-21 08:26 - 2011-05-25 08:22 - 00000418 ____A C:\Windows\Tasks\Free File Viewer Update Checker.job
2012-08-21 08:26 - 2010-09-18 18:26 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-21 08:26 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-21 08:17 - 2012-08-16 09:36 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log
2012-08-17 12:50 - 2010-09-18 18:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:07 - 2012-08-17 12:32 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com
2012-08-17 12:07 - 2012-08-17 12:32 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe
2012-08-17 12:05 - 2012-08-17 12:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-16 09:26 - 2012-08-16 09:32 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe
2012-08-16 09:23 - 2012-08-16 09:36 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe
2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-08-15 19:08 - 2012-07-03 07:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-15 10:05 - 2009-07-14 00:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-13 18:23 - 2009-07-14 00:10 - 01292325 ____A C:\Windows\WindowsUpdate.log
2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat
2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk
2012-08-03 12:08 - 2012-07-03 07:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-03 12:08 - 2012-07-03 07:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-11 07:27 - 2009-07-13 23:45 - 00414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-03 15:46 - 2012-08-17 12:35 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 10:52 - 2012-06-26 07:52 - 00017435 ____H C:\Users\David Summers\Desktop\~WRL0004.tmp
2012-06-11 22:02 - 2012-07-11 07:21 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-02 17:19 - 2012-06-18 18:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 17:19 - 2012-06-18 18:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 17:19 - 2012-06-18 18:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 17:15 - 2012-06-18 18:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 17:15 - 2012-06-18 18:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 17:15 - 2012-06-18 18:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
ZeroAccess:
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\00000001.@
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@
ZeroAccess:
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 4056.36 MB
Available physical RAM: 3474.73 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3470.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:365.89 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:7.45 GB) (Free:0.53 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 7629 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 451 GB 14 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy
==================================================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7629 MB 16 KB
==================================================================================
Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E FAT32 Removable 7629 MB Healthy
==================================================================================
Last Boot: 2012-08-09 10:17
======================= End Of Log ==========================
Any assistance would be appreciated.
Below is the log generated by the Farbar recovery scan tool:
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 21-08-2012 06:52:00
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [368640 2010-01-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [165912 2009-06-30] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [385560 2009-06-30] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [365080 2009-06-30] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m [1807600 2009-11-13] ()
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-24] (Ask)
HKU\David Summers\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-09-18] (Google Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-07] (Dell)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\..\Interfaces\{B087D8A2-424B-440D-80FC-E3B3A46D696C}: [NameServer]66.174.92.14 69.78.235.35
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\David Summers\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
==================== Services (Whitelisted) ======
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)
========================== Drivers (Whitelisted) =============
3 PTUMWBus; C:\Windows\System32\Drivers\PTUMWBus.sys [70928 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWCDF; C:\Windows\System32\Drivers\PTUMWCDF.sys [24976 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWCSP; C:\Windows\System32\Drivers\PTUMWCSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWFLT; C:\Windows\System32\Drivers\PTUMWFLT.sys [12688 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWMdm; C:\Windows\System32\Drivers\PTUMWMdm.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWNET; C:\Windows\System32\Drivers\PTUMWNET.sys [143888 2010-07-20] (DEVGURU Co., LTD.)
3 PTUMWNSP; C:\Windows\System32\Drivers\PTUMWNSP.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMWVsp; C:\Windows\System32\Drivers\PTUMWVsp.sys [173328 2010-07-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [43032 2009-05-25] (Smith Micro Inc.)
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\Application Data\Malwarebytes
2012-08-17 12:38 - 2012-08-17 12:38 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-08-17 12:35 - 2012-08-17 12:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-17 12:35 - 2012-07-03 15:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-17 12:32 - 2012-08-17 12:07 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com
2012-08-17 12:32 - 2012-08-17 12:07 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe
2012-08-17 12:31 - 2012-08-17 12:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-16 09:36 - 2012-08-21 08:17 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log
2012-08-16 09:36 - 2012-08-16 09:23 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe
2012-08-16 09:32 - 2012-08-16 09:26 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe
2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-08-15 17:02 - 2012-08-15 17:03 - 00000000 ____D C:\FRST
2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat
2012-08-13 12:34 - 2012-08-13 12:34 - 00000000 __SHD C:\found.000
2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-12 04:16 - 2012-08-12 20:37 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-12 04:16 - 2012-08-12 04:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-12 04:07 - 2012-08-12 04:07 - 00000000 ____D C:\Users\David Summers\Desktop\Court
2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\My Documents\Dell WebCam Central
2012-08-09 22:43 - 2012-08-09 22:44 - 00000000 ____D C:\Users\David Summers\Documents\Dell WebCam Central
2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\Application Data\Creative
2012-08-09 22:43 - 2012-08-09 22:43 - 00000000 ____D C:\Users\David Summers\AppData\Roaming\Creative
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk
============ 3 Months Modified Files ========================
2012-08-21 08:28 - 2009-07-13 23:51 - 00072444 ____A C:\Windows\setupact.log
2012-08-21 08:26 - 2011-05-25 08:22 - 00000418 ____A C:\Windows\Tasks\Free File Viewer Update Checker.job
2012-08-21 08:26 - 2010-09-18 18:26 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-21 08:26 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-21 08:17 - 2012-08-16 09:36 - 00019074 ____A C:\Users\David Summers\Desktop\yorkyt.exe.log
2012-08-17 12:50 - 2010-09-18 18:26 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:35 - 2012-08-17 12:35 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-17 12:07 - 2012-08-17 12:32 - 00607260 ____R (Swearware) C:\Users\David Summers\Desktop\dds.com
2012-08-17 12:07 - 2012-08-17 12:32 - 00302592 ____A C:\Users\David Summers\Desktop\4klg889o.exe
2012-08-17 12:05 - 2012-08-17 12:31 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\David Summers\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-16 09:26 - 2012-08-16 09:32 - 74900016 ____A (Microsoft Corporation) C:\Users\David Summers\Desktop\msert.exe
2012-08-16 09:23 - 2012-08-16 09:36 - 01415784 ____A C:\Users\David Summers\Desktop\yorkyt.exe
2012-08-16 08:40 - 2012-08-16 08:40 - 00005176 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-08-15 19:08 - 2012-07-03 07:45 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-15 10:05 - 2009-07-14 00:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-13 18:23 - 2009-07-14 00:10 - 01292325 ____A C:\Windows\WindowsUpdate.log
2012-08-13 12:36 - 2012-08-13 12:36 - 00006704 ____N C:\bootsqm.dat
2012-08-12 20:37 - 2012-08-12 20:37 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-12 04:16 - 2012-08-12 04:16 - 00743856 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-09 22:37 - 2012-08-09 22:37 - 00002515 ____A C:\Users\All Users\Desktop\Skype.lnk
2012-08-03 12:08 - 2012-07-03 07:45 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-03 12:08 - 2012-07-03 07:45 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-11 07:27 - 2009-07-13 23:45 - 00414656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-11 07:19 - 2012-07-11 07:19 - 00004608 ____A C:\Users\David Summers\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-03 15:46 - 2012-08-17 12:35 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 10:52 - 2012-06-26 07:52 - 00017435 ____H C:\Users\David Summers\Desktop\~WRL0004.tmp
2012-06-11 22:02 - 2012-07-11 07:21 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-02 17:19 - 2012-06-18 18:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 17:19 - 2012-06-18 18:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 17:19 - 2012-06-18 18:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 17:19 - 2012-06-18 18:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 17:15 - 2012-06-18 18:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 17:15 - 2012-06-18 18:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 17:15 - 2012-06-18 18:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
ZeroAccess:
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\n
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\00000001.@
C:\Windows\Installer\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U\800000cb.@
ZeroAccess:
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\@
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\L
C:\Users\David Summers\AppData\Local\{54bc881e-81a5-ad53-5a23-689e4d4f580b}\U
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 4056.36 MB
Available physical RAM: 3474.73 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3470.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:365.89 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.14 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:7.45 GB) (Free:0.53 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 7629 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 14 GB 40 MB
Partition 3 Primary 451 GB 14 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 14 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy
==================================================================================
Partitions of Disk 2:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7629 MB 16 KB
==================================================================================
Disk: 2
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E FAT32 Removable 7629 MB Healthy
==================================================================================
Last Boot: 2012-08-09 10:17
======================= End Of Log ==========================