Infected: New Variant of Zero Access, Sirefef.AG,Sirefef.I,Sirefef.P

Good morning and thank you for what you do.

On May 6th my laptop was hit with SMART HDD. I went straight to the "Am I Infected" forum, posted the problem and followed the "Remove SmartHDD Uninstall Guide" with the help of a BC Advisor. It seemed ok for a few days and I got most of my icons back.

On May 16th Microsoft Security Essentials popped up a notice saying it wasn't turned on. Absolutely couldn't get it to start without uninstalling and re-installing it. On install it ran a scan and found no threats, but later found & quarantined Trojan:Win32/Sirefef.AG and Trojan:Win32/Sirefef.I At the same time, the Windows Firewall became disabled and would not be turned on. I returned to the forum with my original BC Advisor and ran TDSSkiller and GMER and posted the log report. When I had internet connection MSE would quarantine Trojan:Win32/Sirefef.I and Trojan:Win32/Sirefef.AG at a rate of one every two minutes. The screen also said Recommended Action: Remove this software immediately. Items: file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@ and file:C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@ I hit "remove all" every time it appeared. BC Advisor responded "That’s a new variant of zero access" "We need advanced tools" and told me to read the preparation guide and post a topic here.

I have followed the Preparation for Posting guide and have all the requested material saved on my desktop. When GMER was running a warning screen popped up to say: "WARNING!!! GMER has found system modification caused by ROOTKIT activity." I clicked ok and saved the log, then clicked scan again. It continued to run for another 30 hours. Also during the scan Microsoft Windows warning boxes popped up (IE stopped working) I used task manager to stop them. I saved the scan when it finished so I have two ark.txt files to post.

This morning I booted my laptop and let MSE update. It detected and quarantined two new items: Trojan:Win32/Sirefef.P and VirTool:Win32/Obfuscator.XQ The box below that said Recommended Action: Remove this software immediately. File:C:\Users\KristaHansen\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n I removed the Trojan only to await advice from you on the Obfuscator.XQ.

So far so good. Then I went to log into Bleeping Computer to post. A screen said – last session ended unexpectedly did I want to restore. Like an idiot I said ok, thinking that was a quicker, safer way to get back to the Bleeping Computer forum I had opened last. All I got were endless screens opening. I could not get task manager to open up so I shut the laptop down and am typing this from another’s PC.

So, dear Bleeping Computer Expert, please tell me exactly what to do to get the info saved on my desktop to you. Will booting in SAFE MODE eliminate the endless windows? I appreciate your help.

Hi,



Do you have an empty USB flash drive?
We can try an alternative method.



Regards,
Georgi

Hi, Georgi, thanks for the response. I do have an empty "freebee" if that is good enough.

Krista

Hello,



Lets give it a try. You will need a flasdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Click on Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

Regards,
Georgi

Thanks for the fast reply. I am on it.

I am sorry, I have two freebee flashdrives - neither is working. Can I use a DVD? I was able to use that previously to download TDSS and Malwarebytes. Otherwise I need to run to Walmart.

Looks like the dvd is working, will be back to you soon.

Here is the log requested above, thank you:

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 19-05-2012
Ran by SYSTEM at 20-05-2012 12:39:15
Running from E:\
Windows Vista ™ Business (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2007-09-12] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [154136 2007-09-12] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [129560 2007-09-12] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-27] (Synaptics, Inc.)
HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [177456 2007-11-06] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [413696 2009-01-05] (Apple Inc.)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM\...\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM\...\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [296056 2011-12-12] (RealNetworks, Inc.)
HKLM\...\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXRCV] "C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe" [495616 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXSTM] "C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe" [856064 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup [1596096 2009-08-05] (Leader Technologies Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Krista Hansen\...\Run: [SansaDispatch] C:\Users\Krista Hansen\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2009-05-18] (SanDisk Corporation)
HKU\Krista Hansen\...\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" [247144 2010-08-24] (TomTom)
HKU\Krista Hansen\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Krista Hansen\...\Run: [KGShareApp] C:\Program Files\Kodak\KODAK Share Button App\KGShare_App.exe [x]
HKU\Krista Hansen\...\Run: [EPLTarget\P0000000000000001] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE /EPT "EPLTarget\P0000000000000001" /M "WorkForce 645" [219008 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\Krista Hansen\...\Run: [Sonic] Rundll32.exe "C:\Users\Krista Hansen\AppData\Local\Sonic\rwsdolnf.dll",GetFilterInfo [667648 2011-12-12] (The Imaging Source Europe GmbH)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

================================ Services (Whitelisted) ==================

3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
2 EpsonCustomerParticipation; "C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe" [521600 2011-06-09] (SEIKO EPSON CORPORATION)
3 hpqcxs08; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.)
2 hpqddsvc; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll [135168 2008-10-16] (Hewlett-Packard Co.)
2 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [144688 2007-12-05] (Hewlett-Packard Development Company, L.P.)
2 HPSLPSVC; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPSLPSVC32.DLL [634880 2008-10-16] (Hewlett-Packard Co.)
2 lxdu_device; C:\Windows\system32\lxducoms.exe -service [594600 2009-08-19] ( )
2 McciCMService; "C:\Program Files\Common Files\Motive\McciCMService.exe" [319488 2010-05-04] (Alcatel-Lucent)
2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
2 PenCommService; "C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe" [457728 2010-10-05] (Livescribe)
2 TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [92008 2010-08-24] (TomTom)
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

3 BCM43XV; C:\Windows\System32\DRIVERS\bcmwl6.sys [464384 2006-11-01] (Broadcom Corporation)
3 bcm4sbxp; C:\Windows\System32\DRIVERS\bcm4sbxp.sys [45056 2006-11-01] (Broadcom Corporation)
3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [14904 2010-02-24] (Hewlett-Packard Company)
3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [159232 2007-02-21] (Conexant Systems Inc.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2006-11-01] (Conexant Systems, Inc.)
3 ialm; C:\Windows\System32\DRIVERS\igdkmd32.sys [1899008 2007-08-24] (Intel Corporation)
3 moufiltr; C:\Windows\System32\DRIVERS\moufiltr.sys [6144 2007-01-09] (Chic)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MREMP50; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2010-05-04] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2010-05-04] (Printing Communications Assoc., Inc. (PCAUSA))
3 NETw4v32; C:\Windows\System32\DRIVERS\NETw4v32.sys [2252800 2007-10-31] (Intel Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [74112 2012-03-20] (Microsoft Corporation)
3 PulseUsb; C:\Windows\System32\DRIVERS\PulseUsb.sys [20480 2010-10-05] (Windows ® Win 7 DDK provider)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
4 eabfiltr; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-20 12:38 - 2012-05-20 12:38 - 0000000 ____D C:\FRST
2012-05-19 15:23 - 2012-05-19 15:23 - 0206953 ____A C:\Users\Krista Hansen\Desktop\ark2.txt
2012-05-18 09:28 - 2012-05-18 09:28 - 0148701 ____A C:\Users\Krista Hansen\Desktop\ark.txt
2012-05-18 07:30 - 2012-05-18 07:30 - 0000000 ____D C:\Users\Krista Hansen\Desktop\gmer
2012-05-18 07:28 - 2012-05-18 07:27 - 0294216 ____A C:\Users\Krista Hansen\Desktop\gmer.zip
2012-05-18 07:27 - 2012-05-18 07:27 - 0294216 ____A C:\Users\Krista Hansen\Downloads\gmer.zip
2012-05-18 07:21 - 2012-05-18 07:21 - 0016878 ____A C:\Users\Krista Hansen\Desktop\Attach.txt
2012-05-18 07:17 - 2012-05-18 07:17 - 0016513 ____A C:\Users\Krista Hansen\Desktop\DDS.txt
2012-05-18 07:07 - 2012-05-18 07:06 - 0607260 ____R (Swearware) C:\Users\Krista Hansen\Desktop\dds.scr
2012-05-18 07:06 - 2012-05-18 07:06 - 0607260 ____A (Swearware) C:\Users\Krista Hansen\Downloads\dds.scr
2012-05-18 07:01 - 2012-05-18 07:02 - 0000488 ____A C:\Users\Krista Hansen\Desktop\defogger_disable.log
2012-05-18 07:01 - 2012-05-18 07:01 - 0000000 ____A C:\Users\Krista Hansen\defogger_reenable
2012-05-18 07:00 - 2012-05-18 06:59 - 0050477 ____A C:\Users\Krista Hansen\Desktop\Defogger.exe
2012-05-18 06:59 - 2012-05-18 06:59 - 0050477 ____A C:\Users\Krista Hansen\Downloads\Defogger.exe
2012-05-16 11:29 - 2012-05-16 11:29 - 4731392 ____A (AVAST Software) C:\Users\Krista Hansen\Downloads\aswMBR.exe
2012-05-16 11:12 - 2012-05-16 11:12 - 0302592 ____A C:\Users\Krista Hansen\Downloads\bkwvtyfl.exe
2012-05-16 10:19 - 2012-05-16 10:39 - 0118214 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_14.19.15_log.txt
2012-05-16 10:13 - 2012-05-16 10:13 - 2126424 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller (2).exe
2012-05-16 06:06 - 2012-05-16 06:06 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-05-14 22:02 - 2012-05-14 22:02 - 0000137 ____A C:\Users\Krista Hansen\Desktop\Home.url
2012-05-14 05:39 - 2012-05-14 05:39 - 0000000 __SHD C:\Windows\System32\%APPDATA%
2012-05-13 11:27 - 2012-05-13 11:27 - 0000179 ____A C:\Users\Krista Hansen\Desktop\Wells Fargo -.url
2012-05-13 10:41 - 2012-05-18 06:35 - 0000000 ____D C:\Users\Krista Hansen\Desktop\Virus removal
2012-05-11 07:09 - 2012-05-11 07:09 - 0000172 ____A C:\Users\Krista Hansen\Desktop\InterStar Communications.url
2012-05-10 10:31 - 2012-03-30 04:39 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-10 10:31 - 2012-03-29 05:39 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-05-10 10:31 - 2012-03-20 15:28 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-10 10:30 - 2012-03-01 06:46 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-10 10:30 - 2012-03-01 06:46 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-10 10:30 - 2012-02-29 06:08 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-10 10:30 - 2012-02-29 05:44 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-10 10:30 - 2012-02-29 05:41 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-10 10:29 - 2012-04-03 00:16 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-10 10:29 - 2012-04-03 00:16 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-10 10:29 - 2012-04-02 05:36 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-10 10:09 - 2012-05-10 10:09 - 0000168 ____A C:\Users\Krista Hansen\Desktop\Google.url
2012-05-10 09:53 - 2012-05-20 03:36 - 2136420352 __ASH C:\hiberfil.sys
2012-05-10 07:05 - 2012-05-10 07:06 - 0120766 ____A C:\TDSSKiller.2.7.34.0_10.05.2012_11.05.00_log.txt
2012-05-09 13:36 - 2012-05-09 13:38 - 0120454 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_17.36.37_log.txt
2012-05-09 12:28 - 2012-05-09 12:28 - 0399264 ____A (Bleeping Computer, LLC) C:\Users\Krista Hansen\Downloads\unhide.exe
2012-05-09 07:49 - 2012-05-09 07:49 - 10063024 ____A (Malwarebytes Corporation ) C:\Users\Krista Hansen\Downloads\mbam-setup.exe
2012-05-09 07:42 - 2012-05-09 07:44 - 0120454 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_11.42.24_log.txt
2012-05-09 07:14 - 2012-05-09 07:14 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller (1).exe
2012-05-09 07:13 - 2012-05-09 07:13 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller.exe
2012-05-08 13:40 - 2012-05-08 11:23 - 1012656 ____A C:\Users\Krista Hansen\Desktop\iExplore.exe
2012-05-06 08:13 - 2012-05-06 08:13 - 0000228 ___AH C:\Users\Krista Hansen\Desktop\Complete the process.url
2012-05-04 18:20 - 2012-05-04 18:20 - 0000220 ___AH C:\Users\Krista Hansen\Desktop\Adding a Domain Name to Office 365.url
2012-05-01 06:34 - 2012-05-01 06:34 - 0000000 ___HD C:\Users\Krista Hansen\AppData\Local\Sonic
2012-04-29 13:08 - 2012-04-29 13:08 - 0000249 ___AH C:\Users\Krista Hansen\Desktop\cPanel® 11.url
2012-04-29 08:11 - 2012-04-29 10:59 - 0000249 ___AH C:\Users\Krista Hansen\Desktop\Access cPanel Webmail.url
2012-04-28 08:55 - 2012-04-28 08:55 - 0000704 ___AH C:\Users\Krista Hansen\Desktop\ASF WEBSITE-NEW - Shortcut.lnk
2012-04-20 19:12 - 2012-04-20 19:12 - 0000109 ___AH C:\Users\Krista Hansen\Desktop\EdgeRank.url

============ 3 Months Modified Files and Folders ===============

2012-05-20 12:38 - 2012-05-20 12:38 - 0000000 ____D C:\FRST
2012-05-20 05:04 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\System32\FxsTmp
2012-05-20 05:03 - 2008-07-08 17:59 - 1800143 ____A C:\Windows\WindowsUpdate.log
2012-05-20 05:00 - 2012-01-11 04:44 - 0000000 __SHD C:\Users\Krista Hansen\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
2012-05-20 04:12 - 2012-02-15 05:26 - 0000354 ___AH C:\Windows\Tasks\HPCeeScheduleForKrista Hansen.job
2012-05-20 03:36 - 2012-05-10 09:53 - 2136420352 __ASH C:\hiberfil.sys
2012-05-20 03:36 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-20 03:36 - 2006-11-02 04:47 - 0003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-20 03:36 - 2006-11-02 04:47 - 0003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-19 15:47 - 2006-11-09 13:07 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-05-19 15:47 - 2006-11-02 05:01 - 0032580 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-19 15:23 - 2012-05-19 15:23 - 0206953 ____A C:\Users\Krista Hansen\Desktop\ark2.txt
2012-05-18 09:28 - 2012-05-18 09:28 - 0148701 ____A C:\Users\Krista Hansen\Desktop\ark.txt
2012-05-18 07:30 - 2012-05-18 07:30 - 0000000 ____D C:\Users\Krista Hansen\Desktop\gmer
2012-05-18 07:27 - 2012-05-18 07:28 - 0294216 ____A C:\Users\Krista Hansen\Desktop\gmer.zip
2012-05-18 07:27 - 2012-05-18 07:27 - 0294216 ____A C:\Users\Krista Hansen\Downloads\gmer.zip
2012-05-18 07:21 - 2012-05-18 07:21 - 0016878 ____A C:\Users\Krista Hansen\Desktop\Attach.txt
2012-05-18 07:17 - 2012-05-18 07:17 - 0016513 ____A C:\Users\Krista Hansen\Desktop\DDS.txt
2012-05-18 07:06 - 2012-05-18 07:07 - 0607260 ____R (Swearware) C:\Users\Krista Hansen\Desktop\dds.scr
2012-05-18 07:06 - 2012-05-18 07:06 - 0607260 ____A (Swearware) C:\Users\Krista Hansen\Downloads\dds.scr
2012-05-18 07:02 - 2012-05-18 07:01 - 0000488 ____A C:\Users\Krista Hansen\Desktop\defogger_disable.log
2012-05-18 07:01 - 2012-05-18 07:01 - 0000000 ____A C:\Users\Krista Hansen\defogger_reenable
2012-05-18 07:01 - 2008-07-30 09:38 - 0000000 ___HD C:\users\Krista Hansen
2012-05-18 06:59 - 2012-05-18 07:00 - 0050477 ____A C:\Users\Krista Hansen\Desktop\Defogger.exe
2012-05-18 06:59 - 2012-05-18 06:59 - 0050477 ____A C:\Users\Krista Hansen\Downloads\Defogger.exe
2012-05-18 06:35 - 2012-05-13 10:41 - 0000000 ____D C:\Users\Krista Hansen\Desktop\Virus removal
2012-05-18 06:27 - 2009-02-16 05:32 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-17 07:54 - 2008-07-30 09:38 - 0000000 ___HD C:\Users\Krista Hansen\AppData\LocalLow
2012-05-16 23:04 - 2009-11-19 08:53 - 0000000 ____D C:\Config.Msi
2012-05-16 11:29 - 2012-05-16 11:29 - 4731392 ____A (AVAST Software) C:\Users\Krista Hansen\Downloads\aswMBR.exe
2012-05-16 11:12 - 2012-05-16 11:12 - 0302592 ____A C:\Users\Krista Hansen\Downloads\bkwvtyfl.exe
2012-05-16 10:39 - 2012-05-16 10:19 - 0118214 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_14.19.15_log.txt
2012-05-16 10:13 - 2012-05-16 10:13 - 2126424 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller (2).exe
2012-05-16 07:21 - 2011-06-24 06:00 - 0000000 ____D C:\Users\Krista Hansen\AppData\Local\ElevatedDiagnostics
2012-05-16 06:54 - 2003-09-04 11:14 - 0000041 ___AH C:\Users\Krista Hansen\Desktop\pass.ini
2012-05-16 06:23 - 2011-01-27 06:17 - 0001945 ____A C:\Windows\epplauncher.mif
2012-05-16 06:06 - 2012-05-16 06:06 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-05-16 06:06 - 2006-11-02 02:33 - 0738784 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-16 05:39 - 2007-11-04 21:37 - 0029924 ____A C:\Windows\DPINST.LOG
2012-05-14 22:02 - 2012-05-14 22:02 - 0000137 ____A C:\Users\Krista Hansen\Desktop\Home.url
2012-05-14 06:03 - 2012-04-03 16:33 - 0419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-05-14 06:03 - 2011-05-20 03:58 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-05-14 05:39 - 2012-05-14 05:39 - 0000000 __SHD C:\Windows\System32\%APPDATA%
2012-05-13 11:27 - 2012-05-13 11:27 - 0000179 ____A C:\Users\Krista Hansen\Desktop\Wells Fargo -.url
2012-05-11 09:38 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-05-11 08:41 - 2006-11-02 04:47 - 0383912 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-11 08:38 - 2006-11-02 05:00 - 0089978 ____A C:\Windows\PFRO.log
2012-05-11 08:37 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-05-11 08:21 - 2007-11-04 21:24 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-11 08:21 - 2007-11-04 21:24 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-05-11 08:04 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-05-11 07:15 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\System32\XPSViewer
2012-05-11 07:09 - 2012-05-11 07:09 - 0000172 ____A C:\Users\Krista Hansen\Desktop\InterStar Communications.url
2012-05-10 18:51 - 2012-02-17 13:30 - 0000000 ___HD C:\Users\All Users\ABBYY
2012-05-10 18:51 - 2012-02-17 13:30 - 0000000 ___HD C:\ProgramData\ABBYY
2012-05-10 10:09 - 2012-05-10 10:09 - 0000168 ____A C:\Users\Krista Hansen\Desktop\Google.url
2012-05-10 09:33 - 2011-03-26 03:52 - 0752266 ____A C:\Windows\ntbtlog.txt
2012-05-10 09:30 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Globalization
2012-05-10 07:06 - 2012-05-10 07:05 - 0120766 ____A C:\TDSSKiller.2.7.34.0_10.05.2012_11.05.00_log.txt
2012-05-10 07:04 - 2011-03-26 03:56 - 0000411 ____A C:\rkill.log
2012-05-09 13:38 - 2012-05-09 13:36 - 0120454 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_17.36.37_log.txt
2012-05-09 12:28 - 2012-05-09 12:28 - 0399264 ____A (Bleeping Computer, LLC) C:\Users\Krista Hansen\Downloads\unhide.exe
2012-05-09 07:57 - 2011-03-26 04:08 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-05-09 07:49 - 2012-05-09 07:49 - 10063024 ____A (Malwarebytes Corporation ) C:\Users\Krista Hansen\Downloads\mbam-setup.exe
2012-05-09 07:44 - 2012-05-09 07:42 - 0120454 ____A C:\TDSSKiller.2.7.34.0_09.05.2012_11.42.24_log.txt
2012-05-09 07:14 - 2012-05-09 07:14 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller (1).exe
2012-05-09 07:13 - 2012-05-09 07:13 - 2075184 ____A (Kaspersky Lab ZAO) C:\Users\Krista Hansen\Downloads\tdsskiller.exe
2012-05-08 11:23 - 2012-05-08 13:40 - 1012656 ____A C:\Users\Krista Hansen\Desktop\iExplore.exe
2012-05-06 08:17 - 2003-09-04 11:14 - 0047616 ___AH C:\Users\Krista Hansen\Desktop\pass.dat
2012-05-06 08:13 - 2012-05-06 08:13 - 0000228 ___AH C:\Users\Krista Hansen\Desktop\Complete the process.url
2012-05-04 18:20 - 2012-05-04 18:20 - 0000220 ___AH C:\Users\Krista Hansen\Desktop\Adding a Domain Name to Office 365.url
2012-05-01 06:34 - 2012-05-01 06:34 - 0000000 ___HD C:\Users\Krista Hansen\AppData\Local\Sonic
2012-04-30 18:31 - 2008-08-02 08:00 - 0064000 ___AH C:\Users\Krista Hansen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-29 13:08 - 2012-04-29 13:08 - 0000249 ___AH C:\Users\Krista Hansen\Desktop\cPanel® 11.url
2012-04-29 10:59 - 2012-04-29 08:11 - 0000249 ___AH C:\Users\Krista Hansen\Desktop\Access cPanel Webmail.url
2012-04-28 08:55 - 2012-04-28 08:55 - 0000704 ___AH C:\Users\Krista Hansen\Desktop\ASF WEBSITE-NEW - Shortcut.lnk
2012-04-20 19:12 - 2012-04-20 19:12 - 0000109 ___AH C:\Users\Krista Hansen\Desktop\EdgeRank.url
2012-04-14 18:59 - 2008-07-30 10:17 - 0000000 ___HD C:\data
2012-04-04 11:56 - 2011-03-26 04:08 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-03 00:16 - 2012-05-10 10:29 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-10 10:29 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 05:36 - 2012-05-10 10:29 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 04:39 - 2012-05-10 10:31 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 05:39 - 2012-05-10 10:31 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-03-28 04:11 - 2008-12-10 05:53 - 0000052 ____A C:\Windows\System32\DOErrors.log
2012-03-27 17:41 - 2006-11-02 03:18 - 0000000 ___SD C:\Windows\Downloaded Program Files
2012-03-20 16:44 - 2012-03-20 16:44 - 0171064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 16:44 - 2012-03-20 16:44 - 0074112 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-20 15:28 - 2012-05-10 10:31 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-12 05:46 - 2012-03-12 05:46 - 0000000 ___HD C:\Users\Krista Hansen\AppData\Local\{C03E978F-5D04-4E08-A103-AA6727AE89EE}
2012-03-12 05:46 - 2010-10-23 03:36 - 0000000 ___HD C:\Users\Krista Hansen\AppData\Local\Windows Live
2012-03-09 11:45 - 2008-01-26 14:51 - 0000292 ___AH C:\Users\Krista Hansen\Desktop\LHSH.url
2012-03-07 03:01 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-03-07 02:56 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\System
2012-03-07 02:56 - 2006-11-02 02:23 - 0000275 ____A C:\Windows\win.ini
2012-03-01 06:46 - 2012-05-10 10:30 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-03-01 06:46 - 2012-05-10 10:30 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-02-29 07:11 - 2012-04-12 04:34 - 0172032 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 07:11 - 2012-04-12 04:34 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 07:09 - 2012-04-12 04:34 - 0157696 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 06:08 - 2012-05-10 10:30 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-02-29 05:44 - 2012-05-10 10:30 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-02-29 05:41 - 2012-05-10 10:30 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-29 05:32 - 2012-04-12 04:34 - 0012800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-28 04:35 - 2007-11-04 21:48 - 0000000 ____D C:\Program Files\Common Files\Java
2012-02-28 04:32 - 2012-02-28 04:32 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-02-28 04:32 - 2012-02-28 04:32 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-02-28 04:32 - 2012-02-28 04:32 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-02-28 04:32 - 2010-05-05 02:11 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-02-28 04:32 - 2007-11-04 21:48 - 0000000 ____D C:\Program Files\Java
2012-02-27 17:52 - 2012-04-12 04:35 - 12281856 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 17:27 - 2012-04-12 04:35 - 9705984 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 17:18 - 2012-04-12 04:36 - 1799168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 17:12 - 2012-04-12 04:36 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 17:11 - 2012-04-12 04:36 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 17:11 - 2012-04-12 04:36 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 17:09 - 2012-04-12 04:36 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 17:08 - 2012-04-12 04:36 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 17:06 - 2012-04-12 04:36 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 17:04 - 2012-04-12 04:36 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 17:03 - 2012-04-12 04:36 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 17:03 - 2012-04-12 04:36 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 16:59 - 2012-04-12 04:36 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe
[2008-09-30 16:40] - [2008-01-18 23:33] - 0025088 ____A (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 2038.81 MB
Available physical RAM: 1549.2 MB
Total Pagefile: 1771.14 MB
Available Pagefile: 1616.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:147.49 GB) (Free:58.5 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS_TOOLS) (Fixed) (Total:1.55 GB) (Free:1.02 GB) NTFS
3 Drive e: (May 20 2012) (CDROM) (Total:4.38 GB) (Free:4.24 GB) UDF
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 7824 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 147 GB 32 KB
Partition 2 Primary 1589 MB 147 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 147 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D OS_TOOLS NTFS Partition 1589 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-20 04:13

======================= End Of Log ==========================

Looks like the dvd is working, will be back to you soon.

Hi,

Did you run FRST from a USB stick or from a DVD?
We need to run it from a USB.



Regards,
Georgi

Aww shucks. That FRST was run from a DVD. I guess I need to run to town and pick up a flash drive.

Hi,


Could you please try the following:

Please download ComboFix from the link below:

Combofix

• Save it to a USB memory stick or DVD.
  
• Transfer ComboFix.exe to the desktop of the infected computer.
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  
• Double click it & follow the prompts.
  
• If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  
• When finished, it will produce a log for you.
  
• Please include the C:\ComboFix.txt in your next reply.
  
• Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
  
• If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.

-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.



Regards,
Georgi

Will do, thanks.

I have to keep begging time on another's PC to correspond, sorry. I read the Combofix guide and still have two questions.
1) Do I run it in safe mode and with or without networking?
2) How do you know when it is finished if you can't touch the mouse or keyboard? Can I change a setting so my screen stays up?

Thanks again-

Hello,



No need to apologize. I understand.
1.No, please run it in normal mode.
2.After it's done scanning it'll prepare a log report with the details of its findings.

Can I change a setting so my screen stays up?

What do you mean? You would like to disable the screensaver or turning the monitor off after a while? If so, go ahead and do that.



Regards,
Georgi

OK, I got up the nerve to begin ComboFix. It is not following the script exactly. After the first blue screen labeled Administrator:. came up, a smaller dialogue box came up that says:

Update
? There's a newer version of ComboFix available.
WOuld you like to update ComboFix?
Yes No

Do I click yes or no to carry on?