Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple sirefef trojans infected Vista-comp will not boot properly


  • This topic is locked This topic is locked
74 replies to this topic

#1 Barraman

Barraman

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 16 January 2012 - 09:01 AM

trojandropper: win32/sirefef.n
trojan win64/sirefef.E
trojan win32/sirefef.j
trojan win32/sirefef.P
trojan win32/conedex.A

I followed the prompts however they were not removed.
I noticed that the selection of any link from a google search using Firefox regardless of what it was saw me directed to an random advertising site. I also saw that firefox would open another tab an its own and display an advertising website from time to time.
Windows essentials would pop up and seemingly automatically attempt to deleted these files and fail and the process would repeat itself every 15 minutes or so.

I searched high and low for a solution and stumbled on Hitman and it did seem to remove all of the infections but now

trojan win32/sirefef.b has turned up and it wasnt there before.

An additional problem has now surfaced. The computer seemed to restart on itsown and now will not run in normal mode. It starts, shows the desktop for approx 30 seconds and then shuts down and tries to restart and the procss is repeated unless I start in safe mode. I am unable to get an internet connection when starting in safe mode with networking. Furthermore the screen on the computer now does not work and I am able to view what is happening via a projector that borrowed. The keyboard on the laptop has also stopped working but I can get the usb keyboard to work??

I ran Defogger as advised

I ran the DDS

I ran the GMER program but unfortunately the screen rsolution has changed and I cannot see the save button and I am unabe to use the copy function either so I cannot post that report.


so thats it for the info I can share with you at the moment.
Any assistance to help clean my machine would be appreciated.


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Brett at 21:57:52 on 2012-01-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.955.359 [GMT 10:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.telstra.com/
uStart Page = about:blank
uSearch Bar =
uWindow Title = Telstra BigPond Home Internet Explorer
uInternet Settings,ProxyOverride = 192.168.*.*;<local>
uURLSearchHooks: KeywordSpySEO Helper: {5f9575c2-1ab4-4883-8505-5c6d0dfdf2d5} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\users\brett\appdata\local\7fa90e1a\X
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeywordSpySEO Helper: {5f9575c2-1ab4-4883-8505-5c6d0dfdf2d5} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: KeywordSpy™ SEO/PPC: {0ae831b0-427e-4d0a-bc88-4ba47e7471c3} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\qlink.lnk - c:\program files\lexmark applications\qlink\QLINK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{27469EA3-9744-485D-820F-815E082A5E7E} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{74CC9BA8-6B5C-483A-BCFA-15AC6FC0AA1F} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D5BF1C9B-389E-49C0-B5EB-987673878418} : DhcpNameServer = 61.9.211.33 61.9.195.193
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brett\appdata\roaming\mozilla\firefox\profiles\k73fzar5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://www.google.com.au/search?&q=
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\brett\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\brett\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: e:\firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-12 64512]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-12 20384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2152152]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-25 7168]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 MpKsl3a8f1588;MpKsl3a8f1588;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKsl3a8f1588.sys [2012-1-16 29904]
S1 MpKsl4e7206d3;MpKsl4e7206d3;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKsl4e7206d3.sys [2012-1-16 29904]
S1 MpKsl6f7ec285;MpKsl6f7ec285;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKsl6f7ec285.sys [2012-1-16 29904]
S1 MpKsl785b9ab6;MpKsl785b9ab6;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKsl785b9ab6.sys [2012-1-16 29904]
S1 MpKsl98c4f976;MpKsl98c4f976;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKsl98c4f976.sys [2012-1-16 29904]
S1 MpKslaa4632c7;MpKslaa4632c7;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKslaa4632c7.sys [2012-1-16 29904]
S1 MpKslef3e3cf8;MpKslef3e3cf8;c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\MpKslef3e3cf8.sys [2012-1-16 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 gupdate1c9ac37d83fa21b;Google Update Service (gupdate1c9ac37d83fa21b);c:\program files\google\update\GoogleUpdate.exe [2009-3-24 133104]
S2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-1-28 226624]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2011-5-11 6016]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-12 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-24 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2012-1-15 23624]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-12 954368]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-8-28 7168]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-5-11 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2011-5-11 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2011-5-11 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-5-11 9472]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-8-28 110080]
.
=============== Created Last 30 ================
.
2012-01-16 11:05:57 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\offreg.dll
2012-01-15 10:19:41 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2012-01-15 10:19:33 -------- d-----w- c:\program files\Hitman Pro 3.5
2012-01-15 10:18:37 -------- d-----w- c:\programdata\Hitman Pro
2012-01-15 05:37:41 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5a049d35-da06-4b4d-b253-96245369a428}\mpengine.dll
2012-01-15 04:44:47 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-15 04:42:50 -------- d-sh--w- c:\users\brett\appdata\local\7fa90e1a
2012-01-15 00:43:29 -------- d-----w- c:\program files\Magic MP3 Tagger
2012-01-15 00:11:00 -------- d-----w- c:\users\brett\appdata\local\{01E73F90-3D7B-4840-AA04-450DCC76B9A2}
2012-01-15 00:10:49 -------- d-----w- c:\users\brett\appdata\local\{B26235CC-6308-4D76-ACA1-F95ECD79C84A}
2012-01-14 06:27:05 -------- d-----w- c:\users\brett\appdata\roaming\MusicBrainz
2012-01-14 06:26:41 -------- d-----w- c:\program files\MusicBrainz Picard
2012-01-13 22:20:42 -------- d-----w- c:\users\brett\appdata\local\{E85E4C66-6AB2-47AC-80F4-BFBA41EEB634}
2012-01-13 22:20:24 -------- d-----w- c:\users\brett\appdata\local\{EB6169D8-C68C-4BF7-911E-E090F8E3576D}
2012-01-10 21:37:50 -------- d-----w- c:\users\brett\appdata\local\{8A98CA87-4E50-468F-B97A-512ACC1C1B76}
2012-01-10 21:37:36 -------- d-----w- c:\users\brett\appdata\local\{473C94D3-3F40-4767-8BBA-69B9FFD3C30B}
2012-01-08 07:48:59 -------- d-----w- c:\users\brett\appdata\local\{35A5D52B-C365-4295-9E7C-C7E214D6EEF3}
2012-01-08 07:48:45 -------- d-----w- c:\users\brett\appdata\local\{2BE11296-E97D-4776-BE42-2B41DAB135C5}
2012-01-08 04:29:40 -------- d-----w- c:\users\brett\appdata\local\{04A4AF29-BF19-415F-B184-453F120D0E85}
2012-01-08 04:27:56 -------- d-----w- c:\users\brett\appdata\local\{2CDACD93-DC1F-41BE-85D2-1056A5DC882F}
2012-01-05 22:48:24 -------- d-----w- c:\users\brett\wouxun freq file
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-01-03 08:45:45 -------- d-----w- c:\users\brett\pally jarrod
2012-01-02 06:47:41 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
2012-01-02 06:47:40 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2012-01-02 06:47:38 -------- d-----w- c:\program files\MyDefrag v4.3.1
2012-01-01 23:17:37 -------- d-----w- c:\users\brett\appdata\local\{AB0FE5F2-A44C-4A1D-97A2-706F888C9CAE}
2012-01-01 23:17:23 -------- d-----w- c:\users\brett\appdata\local\{73ACA50A-E728-4CB9-BAC0-C4AEEC8EEB18}
2011-12-31 10:35:01 -------- d-----w- c:\users\brett\appdata\local\{AF71A716-F35A-4430-8105-9FAD3E7D6AE2}
2011-12-30 09:45:38 -------- d-----w- c:\users\brett\appdata\local\{386F2E18-93AD-4A1F-83C3-13FAE167E8B6}
2011-12-30 09:45:25 -------- d-----w- c:\users\brett\appdata\local\{7BE34767-37A1-4DB7-9A31-243F418B2033}
2011-12-29 09:48:27 -------- d-----w- c:\users\brett\appdata\local\{16789A97-2629-48AA-9477-AF7733ABA8C4}
2011-12-29 09:48:16 -------- d-----w- c:\users\brett\appdata\local\{EC00D0A4-CF9B-4249-B4C2-236E9BAE48B6}
2011-12-26 21:10:13 -------- d-----w- c:\users\brett\appdata\local\{9DF17A0A-A0F9-4755-A5FB-38F73A8E4602}
2011-12-25 11:22:20 -------- d-----w- c:\users\brett\appdata\local\{1811B192-1638-4123-9FC8-BFDBD41EACAD}
2011-12-24 21:05:07 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-24 21:05:05 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-24 21:04:58 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-24 21:04:45 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-24 21:04:38 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-24 21:04:33 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-12-24 21:02:06 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-24 20:56:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-24 20:56:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-24 20:56:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-24 20:56:11 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-24 20:56:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-24 20:56:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-24 20:56:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-12-24 12:41:00 -------- d-----w- c:\users\brett\appdata\local\{AF26080C-0339-441D-B24F-44ACA21C572A}
2011-12-23 22:43:59 -------- d-----w- c:\users\brett\appdata\local\{72E2AB85-C1BA-4675-8A37-41D750390CC4}
2011-12-23 22:43:46 -------- d-----w- c:\users\brett\appdata\local\{E9D1422B-73E0-46D7-B99C-AA5BBE0F85A5}
2011-12-23 10:43:23 -------- d-----w- c:\users\brett\appdata\local\{558CA0E1-1631-48EC-BBBD-9753E57B9467}
2011-12-23 10:42:38 -------- d-----w- c:\users\brett\appdata\local\{C5885C00-B3A4-4E20-A351-7C66A6458561}
2011-12-22 22:42:16 -------- d-----w- c:\users\brett\appdata\local\{7085888D-E8D9-40DA-993F-79EBFB9FA18F}
2011-12-22 22:42:02 -------- d-----w- c:\users\brett\appdata\local\{F23A4EF6-BFEC-4280-9F4D-75DC516A46B6}
2011-12-22 10:41:28 -------- d-----w- c:\users\brett\appdata\local\{1E6F4DB1-3BEB-4A36-B997-6D03A001C9AE}
2011-12-22 10:40:58 -------- d-----w- c:\users\brett\appdata\local\{8EFD6F98-52E8-49E5-A521-4C66532DB564}
2011-12-21 22:40:40 -------- d-----w- c:\users\brett\appdata\local\{B7348019-D60E-4F7F-B117-9ACD8F196198}
2011-12-21 22:40:22 -------- d-----w- c:\users\brett\appdata\local\{334E6D17-353F-40EE-82BB-672231BAAE73}
2011-12-21 10:39:59 -------- d-----w- c:\users\brett\appdata\local\{2648A91C-C3E6-4F7D-9414-6FA847E3DCF2}
2011-12-21 10:39:47 -------- d-----w- c:\users\brett\appdata\local\{CC1D4FE9-4699-4335-B2EF-D683BC8D085C}
.
==================== Find3M ====================
.
2012-01-15 04:44:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-07 01:27:28 272208 ----a-w- c:\windows\system32\WPPFilt.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-24 04:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 04:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 21:59:27.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 21 January 2012 - 11:48 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2012 - 06:35 PM

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-22 09:21:36
-----------------------------
09:21:36.063 OS Version: Windows 6.0.6002 Service Pack 2
09:21:36.063 Number of processors: 2 586 0xF0D
09:21:36.063 ComputerName: BRETT-PC UserName: Brett
09:21:36.531 Initialize success
09:21:41.710 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:21:41.710 Disk 0 Vendor: TOSHIBA_ LV01 Size: 152627MB BusType: 3
09:21:41.742 Disk 0 MBR read successfully
09:21:41.742 Disk 0 MBR scan
09:21:41.757 Disk 0 Windows VISTA default MBR code
09:21:41.757 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
09:21:41.773 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 95234 MB offset 3074048
09:21:41.773 Disk 0 Partition - 00 0F Extended LBA 47125 MB offset 198115328
09:21:41.804 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 8766 MB offset 294627328
09:21:41.851 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 47124 MB offset 198117376
09:21:41.866 Disk 0 scanning sectors +312580096
09:21:41.929 Disk 0 scanning C:\Windows\system32\drivers
09:21:50.556 Service scanning
09:21:51.570 Service .afd \? **LOCKED** 123
09:21:51.570 Service .cdrom \? **LOCKED** 123
09:21:51.585 Service .dfsc \? **LOCKED** 123
09:21:51.601 Service .i8042prt \? **LOCKED** 123
09:21:51.601 Service .MpFilter \? **LOCKED** 123
09:21:51.616 Service .netbt \? **LOCKED** 123
09:21:51.616 Service .smb \? **LOCKED** 123
09:21:51.632 Service .tdx \? **LOCKED** 123
09:21:52.069 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
09:21:53.067 Modules scanning
09:21:58.059 Disk 0 trace - called modules:
09:21:58.090 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
09:21:58.106 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85926540]
09:21:58.106 3 CLASSPNP.SYS[86d148b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84edc028]
09:21:58.122 Scan finished successfully
09:22:16.639 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
09:22:16.748 The log file has been saved successfully to "D:\aswMBR.txt"

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 21 January 2012 - 07:42 PM

Barraman:

Are you able to burn a CD and do you have a USB flash drive? Please do this for me:

Restart your computer tapping the f8 key while it boots. Tell me if Repair your computer is available in the list advanced boot options.

Once you've done that, reboot normally and run this:

Posted Image Please download Listparts
  • Run the tool, click Scan and post the log (Result.txt) it makes.
Please include the following in your next post:
  • Listparts log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2012 - 08:44 PM

Thank you so much for your rapid response...

The CD burner on the infected machine has been unreliable for some time. The USB ports work. I am downloading the programs you are instructing me to download on another machine, saving them to a USB stick and then plugging the USB stick into the infected computer, running the program and swapping it back to the working machine to post up the message to you.

ListParts by Farbar
Ran by Brett on 22-01-2012 at 11:39:16
Windows Vista (X86)
Running From: D:\
************************************************************

========================= Memory info ======================

Percentage of memory in use: 47%
Total physical RAM: 955.26 MB
Available physical RAM: 504.88 MB
Total Pagefile: 2174.85 MB
Available Pagefile: 1824.69 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.73 MB

======================= Partitions =========================

1 Drive c: (S3A6609D003) (Fixed) (Total:93 GB) (Free:34.07 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: () (Removable) (Total:0.24 GB) (Free:0.04 GB) FAT
3 Drive e: (New Volume) (Fixed) (Total:46.02 GB) (Free:9.65 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 250 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 93 GB 1501 MB
Partition 0 Extended 46 GB 94 GB
Partition 4 Logical 46 GB 94 GB
Partition 3 Primary 9 GB 140 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C S3A6609D003 NTFS Partition 93 GB Healthy System (partition with boot components)

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E New Volume NTFS Partition 46 GB Healthy

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 250 MB 16 KB

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FAT Removable 250 MB Healthy

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 21 January 2012 - 09:13 PM

Barraman:

Thanks for the info. Do this next, please:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2012 - 09:51 PM

I am infected with Rootkit.ZeroAccess

Combo fix restarted computer
Windows started again and about 20 seconds of the desktop being visible it went blus screen again and dumped to a dumpfile.
I have elected to go to safe mode and awaiting instructions

BTW Combofix did not appear to complete its task because of the blue screen shutdown on startup ( does that make sense?)

I have only run combofix once.

Edited by Barraman, 21 January 2012 - 09:59 PM.


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 21 January 2012 - 10:09 PM

Barraman:

This will open the log if ComboFix created one:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

If a log opens, stop and post it. If no log is found, please try running ComboFix again, but from the safe mode this time.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2012 - 10:49 PM

Ok going as fast as I can,,lol
No log to be found

Ran Combofix from safemode. It did its thing with several warnings telling me I had caught something and to wait..etc

Advised machine was needing to restart. It restarted and gave me the option to go to safe mode. I did but can still not find any report after typing exactly as you listed above.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 21 January 2012 - 11:09 PM

OK, let's try it once more from the safe mode.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 21 January 2012 - 11:28 PM

same result.

Combofix runs
reboots to normal windows mode automatically
Blue screen dump

on restart in safemode I get this windows report

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 3081

Additional information about the problem:
BCCode: a
BCP1: 00000000
BCP2: 00000002
BCP3: 00000001
BCP4: 8286083C
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini012212-04.dmp
C:\Users\Brett\AppData\Local\Temp\WER-106642-0.sysdata.xml
C:\Users\Brett\AppData\Local\Temp\WERED89.tmp.version.txt

Edited by Barraman, 21 January 2012 - 11:33 PM.


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 22 January 2012 - 11:48 AM

Barraman:

OK, we need to do some work from outside of Windows. Please do this - you will need your flash drive:

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.
Please include the following in your next post:
  • Attach the mbr.zip file

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 22 January 2012 - 04:22 PM

instructions followed to the letter.

cannot find sdb1 in the expanded mnt file.
I clicked on sda1

Sources
System volume information
Boot SD1
DFR1cd4
Winrepartition.ini

are the files within the SDA1 file.



await further instruction

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 22 January 2012 - 04:25 PM

Do you see anything in there that looks like the USB drive?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Barraman

Barraman
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 22 January 2012 - 04:40 PM

no I didnt I have the wireless keyboard thing plugged into the a usb port. Might remove that and see what happens.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users